Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Acting up Mainly search engines, DDS Log


  • This topic is locked This topic is locked
21 replies to this topic

#1 erksage

erksage

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 19 September 2010 - 12:37 AM

So my main problems with the computer are:

-Web Pages running slower than usual, and I mean very slow.
-Programs like iTunes or Microsoft Office running below par speed
-Overall poor performance.

I ran MBAM, SuperAntiPsyware, Goored Fix, TDSSKiller, and TFC. If you need to see the results of these scans, please refer to here: http://www.bleepingcomputer.com/forums/topic341773.html

That topic will give insight on what was found, and what some prior problems were.

Now, for the DDS Logs.

Thanks in advance!!


Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 26 September 2010 - 01:37 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 erksage

erksage
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 28 September 2010 - 04:32 PM

OTL report

OTL logfile created on: 9/26/2010 6:38:40 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Shane\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 11.68 Gb Free Space | 15.68% Space Free | Partition Type: NTFS
Drive D: | 28.63 Gb Total Space | 21.48 Gb Free Space | 75.02% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-570961A31
Current User Name: Shane
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/26 18:37:14 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Shane\My Documents\Downloads\OTL.exe
PRC - [2010/09/14 17:59:44 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/03/23 21:00:00 | 001,983,816 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/02/10 11:01:50 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2008/05/26 06:56:04 | 000,991,232 | R--- | M] (Linksys) -- C:\Program Files\Linksys\WMP110\WMP110.exe
PRC - [2008/05/20 10:03:00 | 000,034,816 | ---- | M] () -- C:\Program Files\Linksys\WMP110\gtwpssrv.exe
PRC - [2008/05/20 10:02:56 | 000,233,472 | ---- | M] (TODO: <Company name>) -- C:\Program Files\Linksys\WMP110\WLSngS.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe


========== Modules (SafeList) ==========

MOD - [2010/09/26 18:37:14 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Shane\My Documents\Downloads\OTL.exe
MOD - [2008/04/14 07:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/02/10 11:01:50 | 000,116,104 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2008/05/20 10:03:04 | 000,352,338 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Linksys\WMP110\jswpsapi.exe -- (jswpsapi)
SRV - [2008/05/20 10:03:00 | 000,034,816 | ---- | M] () [Auto | Running] -- C:\Program Files\Linksys\WMP110\gtwpssrv.exe -- (GTWPSService)
SRV - [2008/05/20 10:02:56 | 000,233,472 | ---- | M] (TODO: <Company name>) [Auto | Running] -- C:\Program Files\Linksys\WMP110\WLSngS.exe -- (WLSng Service)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\iscflash.sys -- (iscFlash)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/05/20 10:03:04 | 000,057,344 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jswscimd.sys -- (JSWSCIMD)
DRV - [2008/04/13 17:04:32 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/03/29 01:38:16 | 000,625,024 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WMP110v2.sys -- (WMP110v2)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2001/08/17 08:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 08:28:00 | 000,871,388 | ---- | M] (BCM) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMDM.sys -- (BCMModem)
DRV - [2001/08/17 07:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-776561741-789336058-1644491937-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-776561741-789336058-1644491937-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/23 06:18:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/18 00:07:22 | 000,000,000 | ---D | M]

[2009/04/28 21:57:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shane\Application Data\Mozilla\Extensions
[2010/02/11 08:19:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shane\Application Data\Mozilla\Firefox\Profiles\4hvjlkg9.default\extensions
[2010/09/26 12:00:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/19 04:16:24 | 000,118,784 | ---- | M] (CANON INC.) -- C:\Program Files\Mozilla Firefox\plugins\MyCamera.dll
[2008/06/19 04:16:24 | 000,053,248 | ---- | M] (CANON INC.) -- C:\Program Files\Mozilla Firefox\plugins\NPCIG.dll
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2009/07/26 15:12:27 | 000,001,008 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 89.248.168.188 www.google.co.za
O1 - Hosts: 89.248.168.188 www.google.co.zm
O1 - Hosts: 89.248.168.188 www.google.com
O1 - Hosts: 89.248.168.188 www.google.com.af
O1 - Hosts: 89.248.168.188 www.google.com.ag
O1 - Hosts: 89.248.168.188 www.google.com.ar
O1 - Hosts: 89.248.168.188 www.google.com.au
O1 - Hosts: 89.248.168.188 www.google.com.bn
O1 - Hosts: 89.248.168.188 www.google.com.br
O1 - Hosts: 89.248.168.188 www.google.com.by
O1 - Hosts: 89.248.168.188 www.google.com.bz
O1 - Hosts: 89.248.168.188 www.google.com.cu
O1 - Hosts: 89.248.168.188 www.google.com.ec
O1 - Hosts: 89.248.168.188 www.google.com.fj
O1 - Hosts: 89.248.168.188 google.com
O1 - Hosts: 89.248.168.188 www.google.com
O1 - Hosts: 89.248.168.188 bing.com
O1 - Hosts: 89.248.168.188 www.bing.com
O1 - Hosts: 89.248.168.188 search.yahoo.com
O1 - Hosts: 89.248.168.188 www.search.yahoo.com
O1 - Hosts: 89.248.168.188 search.live.com
O1 - Hosts: 89.248.168.188 search.msn.com
O1 - Hosts: 89.248.168.188 googleads.g.doubleclick.net
O1 - Hosts: 89.248.168.188 www.googleads.g.doubleclick.net
O1 - Hosts: 89.248.168.188 pubads.g.doubleclick.net
O1 - Hosts: 4 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Club Bing Toolbar Helper) - {B771FEA3-2A05-4c21-B1E2-55551A97D520} - C:\Program Files\Club Bing Toolbar Helper\Bmbho.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Club Bing Toolbar) - {719D74AB-1AF9-43A1-8C62-D8750628D93E} - C:\Program Files\Club Bing Toolbar\Toolbar.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (Club Bing Toolbar Helper) - {B771FEA3-2A05-4c21-B1E2-55551A97D520} - C:\Program Files\Club Bing Toolbar Helper\Bmbho.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-776561741-789336058-1644491937-1008\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKU\S-1-5-21-776561741-789336058-1644491937-1008\..\Toolbar\WebBrowser: (Club Bing Toolbar Helper) - {B771FEA3-2A05-4C21-B1E2-55551A97D520} - C:\Program Files\Club Bing Toolbar Helper\Bmbho.dll (Microsoft Corporation)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [WMP110] C:\Program Files\Linksys\WMP110\WMP110.exe (Linksys)
O4 - HKU\S-1-5-21-776561741-789336058-1644491937-1008..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-776561741-789336058-1644491937-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1240502102014 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.217.0.5 24.217.201.67 68.113.206.10
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Shane\My Documents\My Pictures\reach.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Shane\My Documents\My Pictures\reach.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/23 10:31:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: clicprep - (C:\WINDOWS\system32\fsutMRT.dll) - C:\WINDOWS\System32\fsutMRT.dll File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: LanmanWorkstation - File not found
NetSvcs: Messenger - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found


Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/09/17 23:15:33 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Shane\Desktop\TFC.exe
[2010/08/04 12:25:21 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/08/04 12:25:11 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/08/04 12:25:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/08/04 12:21:24 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/08/04 12:17:56 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

========== Files - Modified Within 90 Days ==========

[2010/09/26 18:36:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/26 18:36:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/26 18:35:59 | 1341,509,632 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/26 18:19:48 | 003,670,016 | ---- | M] () -- C:\Documents and Settings\Shane\NTUSER.DAT
[2010/09/26 18:19:48 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Shane\ntuser.ini
[2010/09/26 18:19:42 | 004,798,052 | -H-- | M] () -- C:\Documents and Settings\Shane\Local Settings\Application Data\IconCache.db
[2010/09/25 15:41:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/09/23 21:57:08 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/09/21 23:14:13 | 000,012,660 | ---- | M] () -- C:\Documents and Settings\Shane\My Documents\gghghghghg.docx
[2010/09/21 07:08:08 | 000,010,459 | ---- | M] () -- C:\Documents and Settings\Shane\My Documents\John Locke.docx
[2010/09/20 16:10:33 | 000,012,626 | ---- | M] () -- C:\Documents and Settings\Shane\My Documents\reyer.docx
[2010/09/18 00:07:26 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Shane\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/09/18 00:07:26 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/09/17 23:15:36 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Shane\Desktop\TFC.exe
[2010/09/08 19:26:19 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/12 06:47:51 | 000,234,368 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/11 23:36:03 | 000,501,230 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/11 23:36:03 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/11 23:36:03 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2010/09/21 23:14:13 | 000,012,660 | ---- | C] () -- C:\Documents and Settings\Shane\My Documents\gghghghghg.docx
[2010/09/21 07:08:07 | 000,010,459 | ---- | C] () -- C:\Documents and Settings\Shane\My Documents\John Locke.docx
[2010/09/20 16:10:32 | 000,012,626 | ---- | C] () -- C:\Documents and Settings\Shane\My Documents\reyer.docx
[2010/09/18 00:07:26 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/08/04 12:26:40 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/25 20:39:56 | 000,000,157 | ---- | C] () -- C:\WINDOWS\Sierra.ini
[2009/09/11 21:55:31 | 000,000,395 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2009/06/22 00:23:53 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Shane\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/28 18:39:22 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/04/28 18:37:05 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2009/04/28 18:36:57 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EP_SPR380.ini
[2009/04/27 18:32:33 | 000,000,208 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/04/27 18:32:21 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\unzdll.dll
[2009/04/27 18:29:37 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

========== LOP Check ==========

[2009/07/26 15:36:08 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\19b3b19
[2009/04/29 16:07:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/06/11 23:12:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2010/03/31 20:33:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/04/30 16:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJ
[2010/05/01 07:30:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEPPEX
[2010/04/13 17:40:47 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2010/09/11 14:21:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
[2010/04/13 17:40:54 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenu
[2010/04/13 17:43:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2010/03/25 20:39:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sierra
[2010/09/06 10:44:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/04/29 16:07:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/08/04 12:26:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/01/03 19:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/29 20:24:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/06/15 12:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Danielle\Application Data\acccore
[2009/06/12 00:13:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Danielle\Application Data\Azureus
[2010/04/05 20:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Danielle\Application Data\Canon Easy-WebPrint EX
[2009/08/23 10:30:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Danielle\Application Data\iPod Copy Expert
[2010/04/07 19:15:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Canon Easy-WebPrint EX
[2009/04/27 18:19:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\MSNInstaller
[2010/04/02 14:34:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric\Application Data\Sierra
[2010/04/30 16:04:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Roselyn\Application Data\Canon
[2010/04/26 18:19:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Roselyn\Application Data\Canon Easy-WebPrint EX
[2010/04/10 11:39:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Roselyn\Application Data\Facebook
[2009/04/28 18:42:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Roselyn\Application Data\Leadertech
[2010/03/25 20:40:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Roselyn\Application Data\Sierra
[2010/05/15 14:55:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Roselyn\Application Data\Uniblue
[2009/04/29 16:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shane\Application Data\acccore
[2009/07/07 13:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shane\Application Data\Azureus
[2010/06/09 21:05:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shane\Application Data\Canon Easy-WebPrint EX
[2009/07/25 20:51:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shane\Application Data\GetRightToGo
[2009/05/18 16:51:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Shane\Application Data\Viewpoint

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\system32\*.sys /90 >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/04/23 04:59:00 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/04/23 04:59:00 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/04/23 04:59:00 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.* >
[2009/04/23 10:31:11 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/04/23 10:11:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2009/04/23 10:31:11 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/09/26 18:35:59 | 1341,509,632 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/23 10:31:11 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/04/29 16:07:52 | 000,000,919 | -H-- | M] () -- C:\IPH.PH
[2010/05/23 11:06:06 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2009/04/23 10:31:11 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 07:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/26 18:35:58 | 2013,265,920 | -HS- | M] () -- C:\pagefile.sys
[2010/09/17 23:51:37 | 000,033,432 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_17.09.2010_23.50.48_log.txt
[2010/09/18 00:57:35 | 000,032,334 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_18.09.2010_00.57.04_log.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2009/03/24 05:00:00 | 000,027,648 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPDA0.DLL
[2009/03/24 05:00:00 | 000,070,656 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPPA0.DLL
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\*. /mp /s >


< MD5 for: AGP440.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/13 19:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/14 07:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 07:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USER32.DLL >
[2008/04/14 07:00:00 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\dllcache\user32.dll
[2008/04/14 07:00:00 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

< MD5 for: WS2_32.DLL >
[2008/04/14 07:00:00 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\dllcache\ws2_32.dll
[2008/04/14 07:00:00 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A2947BEA
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

EXTRAS

TL Extras logfile created on: 9/26/2010 6:38:41 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Shane\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 11.68 Gb Free Space | 15.68% Space Free | Partition Type: NTFS
Drive D: | 28.63 Gb Total Space | 21.48 Gb Free Space | 75.02% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-570961A31
Current User Name: Shane
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-776561741-789336058-1644491937-1008\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"4550:TCP" = 4550:TCP:*:Enabled:Services
"7600:TCP" = 7600:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"6539:TCP" = 6539:TCP:*:Enabled:Services
"6540:TCP" = 6540:TCP:*:Enabled:Services
"7444:TCP" = 7444:TCP:*:Enabled:Services
"7445:TCP" = 7445:TCP:*:Enabled:Services
"8054:TCP" = 8054:TCP:*:Enabled:Services
"8055:TCP" = 8055:TCP:*:Enabled:Services
"6975:TCP" = 6975:TCP:*:Enabled:Services
"6976:TCP" = 6976:TCP:*:Enabled:Services
"4454:TCP" = 4454:TCP:*:Enabled:Services
"2977:TCP" = 2977:TCP:*:Enabled:Services
"7634:TCP" = 7634:TCP:*:Enabled:Services
"7635:TCP" = 7635:TCP:*:Enabled:Services
"2358:TCP" = 2358:TCP:*:Enabled:Services
"3216:TCP" = 3216:TCP:*:Enabled:Services
"6417:TCP" = 6417:TCP:*:Enabled:Services
"6416:TCP" = 6416:TCP:*:Enabled:Services
"5486:TCP" = 5486:TCP:*:Enabled:Services
"3493:TCP" = 3493:TCP:*:Enabled:Services
"8570:TCP" = 8570:TCP:*:Enabled:Services
"8571:TCP" = 8571:TCP:*:Enabled:Services
"7900:TCP" = 7900:TCP:*:Enabled:Services
"7901:TCP" = 7901:TCP:*:Enabled:Services
"7928:TCP" = 7928:TCP:*:Enabled:Services
"7929:TCP" = 7929:TCP:*:Enabled:Services
"2948:TCP" = 2948:TCP:*:Enabled:Services
"4396:TCP" = 4396:TCP:*:Enabled:Services
"9024:TCP" = 9024:TCP:*:Enabled:Services
"9023:TCP" = 9023:TCP:*:Enabled:Services
"8617:TCP" = 8617:TCP:*:Enabled:Services
"8618:TCP" = 8618:TCP:*:Enabled:Services
"9243:TCP" = 9243:TCP:*:Enabled:Services
"9244:TCP" = 9244:TCP:*:Enabled:Services
"9367:TCP" = 9367:TCP:*:Enabled:Services
"9368:TCP" = 9368:TCP:*:Enabled:Services
"9573:TCP" = 9573:TCP:*:Enabled:Services
"9574:TCP" = 9574:TCP:*:Enabled:Services
"7424:TCP" = 7424:TCP:*:Enabled:Services
"4462:TCP" = 4462:TCP:*:Enabled:Services
"2012:TCP" = 2012:TCP:*:Enabled:Services
"2524:TCP" = 2524:TCP:*:Enabled:Services
"4899:TCP" = 4899:TCP:*:Enabled:Services
"8298:TCP" = 8298:TCP:*:Enabled:Services
"8958:TCP" = 8958:TCP:*:Enabled:Services
"8959:TCP" = 8959:TCP:*:Enabled:Services
"7489:TCP" = 7489:TCP:*:Enabled:Services
"7490:TCP" = 7490:TCP:*:Enabled:Services
"5287:TCP" = 5287:TCP:*:Enabled:Services
"9074:TCP" = 9074:TCP:*:Enabled:Services
"4349:TCP" = 4349:TCP:*:Enabled:Services
"7198:TCP" = 7198:TCP:*:Enabled:Services
"6349:TCP" = 6349:TCP:*:Enabled:Services
"6350:TCP" = 6350:TCP:*:Enabled:Services
"7210:TCP" = 7210:TCP:*:Enabled:Services
"7209:TCP" = 7209:TCP:*:Enabled:Services
"5302:TCP" = 5302:TCP:*:Enabled:Services
"9104:TCP" = 9104:TCP:*:Enabled:Services
"3960:TCP" = 3960:TCP:*:Enabled:Services
"6420:TCP" = 6420:TCP:*:Enabled:Services
"6068:TCP" = 6068:TCP:*:Enabled:Services
"6069:TCP" = 6069:TCP:*:Enabled:Services
"5631:TCP" = 5631:TCP:*:Enabled:Services
"9762:TCP" = 9762:TCP:*:Enabled:Services
"4834:TCP" = 4834:TCP:*:Enabled:Services
"8168:TCP" = 8168:TCP:*:Enabled:Services
"2585:TCP" = 2585:TCP:*:Enabled:Services
"3670:TCP" = 3670:TCP:*:Enabled:Services
"1694:TCP" = 1694:TCP:*:Enabled:Services
"1888:TCP" = 1888:TCP:*:Enabled:Services
"2818:TCP" = 2818:TCP:*:Enabled:Services
"4136:TCP" = 4136:TCP:*:Enabled:Services
"6989:TCP" = 6989:TCP:*:Enabled:Services
"6990:TCP" = 6990:TCP:*:Enabled:Services
"2677:TCP" = 2677:TCP:*:Enabled:Services
"3854:TCP" = 3854:TCP:*:Enabled:Services
"6146:TCP" = 6146:TCP:*:Enabled:Services
"6147:TCP" = 6147:TCP:*:Enabled:Services
"7865:TCP" = 7865:TCP:*:Enabled:Services
"7866:TCP" = 7866:TCP:*:Enabled:Services
"4318:TCP" = 4318:TCP:*:Enabled:Services
"7136:TCP" = 7136:TCP:*:Enabled:Services
"3943:TCP" = 3943:TCP:*:Enabled:Services
"6386:TCP" = 6386:TCP:*:Enabled:Services
"6459:TCP" = 6459:TCP:*:Enabled:Services
"6460:TCP" = 6460:TCP:*:Enabled:Services
"5365:TCP" = 5365:TCP:*:Enabled:Services
"9230:TCP" = 9230:TCP:*:Enabled:Services
"6412:TCP" = 6412:TCP:*:Enabled:Services
"6413:TCP" = 6413:TCP:*:Enabled:Services
"3974:TCP" = 3974:TCP:*:Enabled:Services
"6448:TCP" = 6448:TCP:*:Enabled:Services
"8418:TCP" = 8418:TCP:*:Enabled:Services
"4959:TCP" = 4959:TCP:*:Enabled:Services
"2552:TCP" = 2552:TCP:*:Enabled:Services
"3604:TCP" = 3604:TCP:*:Enabled:Services
"5980:TCP" = 5980:TCP:*:Enabled:Services
"3740:TCP" = 3740:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"4550:TCP" = 4550:TCP:*:Enabled:Services
"7600:TCP" = 7600:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"6539:TCP" = 6539:TCP:*:Enabled:Services
"6540:TCP" = 6540:TCP:*:Enabled:Services
"7444:TCP" = 7444:TCP:*:Enabled:Services
"7445:TCP" = 7445:TCP:*:Enabled:Services
"8054:TCP" = 8054:TCP:*:Enabled:Services
"8055:TCP" = 8055:TCP:*:Enabled:Services
"6975:TCP" = 6975:TCP:*:Enabled:Services
"6976:TCP" = 6976:TCP:*:Enabled:Services
"4454:TCP" = 4454:TCP:*:Enabled:Services
"2977:TCP" = 2977:TCP:*:Enabled:Services
"7634:TCP" = 7634:TCP:*:Enabled:Services
"7635:TCP" = 7635:TCP:*:Enabled:Services
"2358:TCP" = 2358:TCP:*:Enabled:Services
"3216:TCP" = 3216:TCP:*:Enabled:Services
"6417:TCP" = 6417:TCP:*:Enabled:Services
"6416:TCP" = 6416:TCP:*:Enabled:Services
"5486:TCP" = 5486:TCP:*:Enabled:Services
"3493:TCP" = 3493:TCP:*:Enabled:Services
"8570:TCP" = 8570:TCP:*:Enabled:Services
"8571:TCP" = 8571:TCP:*:Enabled:Services
"7900:TCP" = 7900:TCP:*:Enabled:Services
"7901:TCP" = 7901:TCP:*:Enabled:Services
"7928:TCP" = 7928:TCP:*:Enabled:Services
"7929:TCP" = 7929:TCP:*:Enabled:Services
"2948:TCP" = 2948:TCP:*:Enabled:Services
"4396:TCP" = 4396:TCP:*:Enabled:Services
"9024:TCP" = 9024:TCP:*:Enabled:Services
"9023:TCP" = 9023:TCP:*:Enabled:Services
"8617:TCP" = 8617:TCP:*:Enabled:Services
"8618:TCP" = 8618:TCP:*:Enabled:Services
"9243:TCP" = 9243:TCP:*:Enabled:Services
"9244:TCP" = 9244:TCP:*:Enabled:Services
"9367:TCP" = 9367:TCP:*:Enabled:Services
"9368:TCP" = 9368:TCP:*:Enabled:Services
"9573:TCP" = 9573:TCP:*:Enabled:Services
"9574:TCP" = 9574:TCP:*:Enabled:Services
"7424:TCP" = 7424:TCP:*:Enabled:Services
"4462:TCP" = 4462:TCP:*:Enabled:Services
"2012:TCP" = 2012:TCP:*:Enabled:Services
"2524:TCP" = 2524:TCP:*:Enabled:Services
"4899:TCP" = 4899:TCP:*:Enabled:Services
"8298:TCP" = 8298:TCP:*:Enabled:Services
"8958:TCP" = 8958:TCP:*:Enabled:Services
"8959:TCP" = 8959:TCP:*:Enabled:Services
"7489:TCP" = 7489:TCP:*:Enabled:Services
"7490:TCP" = 7490:TCP:*:Enabled:Services
"5287:TCP" = 5287:TCP:*:Enabled:Services
"9074:TCP" = 9074:TCP:*:Enabled:Services
"4349:TCP" = 4349:TCP:*:Enabled:Services
"7198:TCP" = 7198:TCP:*:Enabled:Services
"6349:TCP" = 6349:TCP:*:Enabled:Services
"6350:TCP" = 6350:TCP:*:Enabled:Services
"7210:TCP" = 7210:TCP:*:Enabled:Services
"7209:TCP" = 7209:TCP:*:Enabled:Services
"5302:TCP" = 5302:TCP:*:Enabled:Services
"9104:TCP" = 9104:TCP:*:Enabled:Services
"3960:TCP" = 3960:TCP:*:Enabled:Services
"6420:TCP" = 6420:TCP:*:Enabled:Services
"6068:TCP" = 6068:TCP:*:Enabled:Services
"6069:TCP" = 6069:TCP:*:Enabled:Services
"5631:TCP" = 5631:TCP:*:Enabled:Services
"9762:TCP" = 9762:TCP:*:Enabled:Services
"4834:TCP" = 4834:TCP:*:Enabled:Services
"8168:TCP" = 8168:TCP:*:Enabled:Services
"2585:TCP" = 2585:TCP:*:Enabled:Services
"3670:TCP" = 3670:TCP:*:Enabled:Services
"1694:TCP" = 1694:TCP:*:Enabled:Services
"1888:TCP" = 1888:TCP:*:Enabled:Services
"2818:TCP" = 2818:TCP:*:Enabled:Services
"4136:TCP" = 4136:TCP:*:Enabled:Services
"6989:TCP" = 6989:TCP:*:Enabled:Services
"6990:TCP" = 6990:TCP:*:Enabled:Services
"2677:TCP" = 2677:TCP:*:Enabled:Services
"3854:TCP" = 3854:TCP:*:Enabled:Services
"6146:TCP" = 6146:TCP:*:Enabled:Services
"6147:TCP" = 6147:TCP:*:Enabled:Services
"7865:TCP" = 7865:TCP:*:Enabled:Services
"7866:TCP" = 7866:TCP:*:Enabled:Services
"4318:TCP" = 4318:TCP:*:Enabled:Services
"7136:TCP" = 7136:TCP:*:Enabled:Services
"3943:TCP" = 3943:TCP:*:Enabled:Services
"6386:TCP" = 6386:TCP:*:Enabled:Services
"6459:TCP" = 6459:TCP:*:Enabled:Services
"6460:TCP" = 6460:TCP:*:Enabled:Services
"5365:TCP" = 5365:TCP:*:Enabled:Services
"9230:TCP" = 9230:TCP:*:Enabled:Services
"6412:TCP" = 6412:TCP:*:Enabled:Services
"6413:TCP" = 6413:TCP:*:Enabled:Services
"3974:TCP" = 3974:TCP:*:Enabled:Services
"6448:TCP" = 6448:TCP:*:Enabled:Services
"8418:TCP" = 8418:TCP:*:Enabled:Services
"4959:TCP" = 4959:TCP:*:Enabled:Services
"2552:TCP" = 2552:TCP:*:Enabled:Services
"3604:TCP" = 3604:TCP:*:Enabled:Services
"3740:TCP" = 3740:TCP:*:Enabled:Services
"5980:TCP" = 5980:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Disabled:AIM -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader -- File not found
"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Disabled:Azureus -- File not found
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Disabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Disabled:avgnsx.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Disabled:avgupd.exe -- File not found
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe" = C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe:*:Disabled:Acrobat.com -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Disabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP560_series" = Canon MP560 series MP Drivers
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{4D777040-B426-44F8-8AA5-4EA26C38ECAE}" = Club Bing Toolbar Helper
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7CE979C6-E5FF-41C5-B6CC-4EE18071563B}" = SierraAddressBook 3.0
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8CBDD204-BF4E-4284-B117-465A02883B81}" = Linksys WMP110 RangePlus Wireless PCI Adapter
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A35B36EA-39FE-4AA8-8119-D66B060C9E72}" = Club Bing Toolbar
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C8F7C1E5-0150-11D6-A96C-00D05908F85D}" = USB Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MP560 series User Registration" = Canon MP560 series User Registration
"CANONIJPLM100" = Canon Inkjet Printer/Scanner/Fax Extended Survey Program
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner (remove only)
"ClubBingToolbar" = Club Bing Toolbar
"CSCLIB" = Canon Camera Support Core Library
"DirectPrintUserGuide" = Canon Direct Print User Guide
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"EOS Utility" = Canon Utilities EOS Utility
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoStitch" = Canon Utilities PhotoStitch
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/4/2010 1:40:52 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 480: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 8/4/2010 1:40:52 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 492: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 8/4/2010 1:40:52 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 504: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 8/4/2010 1:40:52 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 516: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 8/8/2010 11:02:40 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 300: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 8/8/2010 11:02:40 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 216: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 8/8/2010 11:02:40 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 256: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 8/8/2010 11:02:40 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 244: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 8/8/2010 11:02:40 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 500: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 8/19/2010 8:28:13 PM | Computer Name = OWNER-570961A31 | Source = Bonjour Service | ID = 100
Description = 304: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

[ System Events ]
Error - 9/24/2010 4:14:11 PM | Computer Name = OWNER-570961A31 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 9/24/2010 8:14:11 PM | Computer Name = OWNER-570961A31 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 9/25/2010 8:51:43 AM | Computer Name = OWNER-570961A31 | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 9/25/2010 8:51:46 AM | Computer Name = OWNER-570961A31 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 9/26/2010 12:15:53 AM | Computer Name = OWNER-570961A31 | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 9/26/2010 12:15:54 AM | Computer Name = OWNER-570961A31 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 9/26/2010 8:31:34 AM | Computer Name = OWNER-570961A31 | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 9/26/2010 8:31:35 AM | Computer Name = OWNER-570961A31 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 9/26/2010 7:36:12 PM | Computer Name = OWNER-570961A31 | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 9/26/2010 7:36:13 PM | Computer Name = OWNER-570961A31 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt


< End of report >

And now the GMER.

Just get back to me whever you can, thanks!!

Attached Files

  • Attached File  GMER.log   324bytes   2 downloads


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 28 September 2010 - 06:00 PM

Hello, erksage.
You had a backdoor rootkit based on the TDSS logs. I also do see the why you can't access search engines so you're (obviously) still infected.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578


Viewpoint (foistware) Warning"

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/clickz/news/1714488/viewpoint-plunge-into-adware

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.







Step 1

Download and run HAMeb_check.exe
Post the contents of the resulting log.



Step 2

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.



Step 3

Scan With RKUnHooker
  • Please Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

QUOTE
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 erksage

erksage
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 28 September 2010 - 08:00 PM

I think I would like to clean my PC. How do I know if I am hacked? Is my computer in danger forever?

#6 erksage

erksage
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 28 September 2010 - 09:35 PM

First log:

C:\Documents and Settings\Shane\My Documents\Downloads\HAMeb_check.exe
Tue 09/28/2010 at 21:24:36.65

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-776561741-789336058-1644491937-1000
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"4550:TCP"=4550:TCP:*:Enabled:Services
"7600:TCP"=7600:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"6539:TCP"=6539:TCP:*:Enabled:Services
"6540:TCP"=6540:TCP:*:Enabled:Services
"7444:TCP"=7444:TCP:*:Enabled:Services
"7445:TCP"=7445:TCP:*:Enabled:Services
"8054:TCP"=8054:TCP:*:Enabled:Services
"8055:TCP"=8055:TCP:*:Enabled:Services
"6975:TCP"=6975:TCP:*:Enabled:Services
"6976:TCP"=6976:TCP:*:Enabled:Services
"4454:TCP"=4454:TCP:*:Enabled:Services
"2977:TCP"=2977:TCP:*:Enabled:Services
"7634:TCP"=7634:TCP:*:Enabled:Services
"7635:TCP"=7635:TCP:*:Enabled:Services
"2358:TCP"=2358:TCP:*:Enabled:Services
"3216:TCP"=3216:TCP:*:Enabled:Services
"6417:TCP"=6417:TCP:*:Enabled:Services
"6416:TCP"=6416:TCP:*:Enabled:Services
"5486:TCP"=5486:TCP:*:Enabled:Services
"3493:TCP"=3493:TCP:*:Enabled:Services
"8570:TCP"=8570:TCP:*:Enabled:Services
"8571:TCP"=8571:TCP:*:Enabled:Services
"7900:TCP"=7900:TCP:*:Enabled:Services
"7901:TCP"=7901:TCP:*:Enabled:Services
"7928:TCP"=7928:TCP:*:Enabled:Services
"7929:TCP"=7929:TCP:*:Enabled:Services
"2948:TCP"=2948:TCP:*:Enabled:Services
"4396:TCP"=4396:TCP:*:Enabled:Services
"9024:TCP"=9024:TCP:*:Enabled:Services
"9023:TCP"=9023:TCP:*:Enabled:Services
"8617:TCP"=8617:TCP:*:Enabled:Services
"8618:TCP"=8618:TCP:*:Enabled:Services
"9243:TCP"=9243:TCP:*:Enabled:Services
"9244:TCP"=9244:TCP:*:Enabled:Services
"9367:TCP"=9367:TCP:*:Enabled:Services
"9368:TCP"=9368:TCP:*:Enabled:Services
"9573:TCP"=9573:TCP:*:Enabled:Services
"9574:TCP"=9574:TCP:*:Enabled:Services
"7424:TCP"=7424:TCP:*:Enabled:Services
"4462:TCP"=4462:TCP:*:Enabled:Services
"2012:TCP"=2012:TCP:*:Enabled:Services
"2524:TCP"=2524:TCP:*:Enabled:Services
"4899:TCP"=4899:TCP:*:Enabled:Services
"8298:TCP"=8298:TCP:*:Enabled:Services
"8958:TCP"=8958:TCP:*:Enabled:Services
"8959:TCP"=8959:TCP:*:Enabled:Services
"7489:TCP"=7489:TCP:*:Enabled:Services
"7490:TCP"=7490:TCP:*:Enabled:Services
"5287:TCP"=5287:TCP:*:Enabled:Services
"9074:TCP"=9074:TCP:*:Enabled:Services
"4349:TCP"=4349:TCP:*:Enabled:Services
"7198:TCP"=7198:TCP:*:Enabled:Services
"6349:TCP"=6349:TCP:*:Enabled:Services
"6350:TCP"=6350:TCP:*:Enabled:Services
"7210:TCP"=7210:TCP:*:Enabled:Services
"7209:TCP"=7209:TCP:*:Enabled:Services
"5302:TCP"=5302:TCP:*:Enabled:Services
"9104:TCP"=9104:TCP:*:Enabled:Services
"3960:TCP"=3960:TCP:*:Enabled:Services
"6420:TCP"=6420:TCP:*:Enabled:Services
"6068:TCP"=6068:TCP:*:Enabled:Services
"6069:TCP"=6069:TCP:*:Enabled:Services
"5631:TCP"=5631:TCP:*:Enabled:Services
"9762:TCP"=9762:TCP:*:Enabled:Services
"4834:TCP"=4834:TCP:*:Enabled:Services
"8168:TCP"=8168:TCP:*:Enabled:Services
"2585:TCP"=2585:TCP:*:Enabled:Services
"3670:TCP"=3670:TCP:*:Enabled:Services
"1694:TCP"=1694:TCP:*:Enabled:Services
"1888:TCP"=1888:TCP:*:Enabled:Services
"2818:TCP"=2818:TCP:*:Enabled:Services
"4136:TCP"=4136:TCP:*:Enabled:Services
"6989:TCP"=6989:TCP:*:Enabled:Services
"6990:TCP"=6990:TCP:*:Enabled:Services
"2677:TCP"=2677:TCP:*:Enabled:Services
"3854:TCP"=3854:TCP:*:Enabled:Services
"6146:TCP"=6146:TCP:*:Enabled:Services
"6147:TCP"=6147:TCP:*:Enabled:Services
"7865:TCP"=7865:TCP:*:Enabled:Services
"7866:TCP"=7866:TCP:*:Enabled:Services
"4318:TCP"=4318:TCP:*:Enabled:Services
"7136:TCP"=7136:TCP:*:Enabled:Services
"3943:TCP"=3943:TCP:*:Enabled:Services
"6386:TCP"=6386:TCP:*:Enabled:Services
"6459:TCP"=6459:TCP:*:Enabled:Services
"6460:TCP"=6460:TCP:*:Enabled:Services
"5365:TCP"=5365:TCP:*:Enabled:Services
"9230:TCP"=9230:TCP:*:Enabled:Services
"6412:TCP"=6412:TCP:*:Enabled:Services
"6413:TCP"=6413:TCP:*:Enabled:Services
"3974:TCP"=3974:TCP:*:Enabled:Services
"6448:TCP"=6448:TCP:*:Enabled:Services
"8418:TCP"=8418:TCP:*:Enabled:Services
"4959:TCP"=4959:TCP:*:Enabled:Services
"2552:TCP"=2552:TCP:*:Enabled:Services
"3604:TCP"=3604:TCP:*:Enabled:Services
"5980:TCP"=5980:TCP:*:Enabled:Services
"3740:TCP"=3740:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"4550:TCP"=4550:TCP:*:Enabled:Services
"7600:TCP"=7600:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"6539:TCP"=6539:TCP:*:Enabled:Services
"6540:TCP"=6540:TCP:*:Enabled:Services
"7444:TCP"=7444:TCP:*:Enabled:Services
"7445:TCP"=7445:TCP:*:Enabled:Services
"8054:TCP"=8054:TCP:*:Enabled:Services
"8055:TCP"=8055:TCP:*:Enabled:Services
"6975:TCP"=6975:TCP:*:Enabled:Services
"6976:TCP"=6976:TCP:*:Enabled:Services
"4454:TCP"=4454:TCP:*:Enabled:Services
"2977:TCP"=2977:TCP:*:Enabled:Services
"7634:TCP"=7634:TCP:*:Enabled:Services
"7635:TCP"=7635:TCP:*:Enabled:Services
"2358:TCP"=2358:TCP:*:Enabled:Services
"3216:TCP"=3216:TCP:*:Enabled:Services
"6417:TCP"=6417:TCP:*:Enabled:Services
"6416:TCP"=6416:TCP:*:Enabled:Services
"5486:TCP"=5486:TCP:*:Enabled:Services
"3493:TCP"=3493:TCP:*:Enabled:Services
"8570:TCP"=8570:TCP:*:Enabled:Services
"8571:TCP"=8571:TCP:*:Enabled:Services
"7900:TCP"=7900:TCP:*:Enabled:Services
"7901:TCP"=7901:TCP:*:Enabled:Services
"7928:TCP"=7928:TCP:*:Enabled:Services
"7929:TCP"=7929:TCP:*:Enabled:Services
"2948:TCP"=2948:TCP:*:Enabled:Services
"4396:TCP"=4396:TCP:*:Enabled:Services
"9024:TCP"=9024:TCP:*:Enabled:Services
"9023:TCP"=9023:TCP:*:Enabled:Services
"8617:TCP"=8617:TCP:*:Enabled:Services
"8618:TCP"=8618:TCP:*:Enabled:Services
"9243:TCP"=9243:TCP:*:Enabled:Services
"9244:TCP"=9244:TCP:*:Enabled:Services
"9367:TCP"=9367:TCP:*:Enabled:Services
"9368:TCP"=9368:TCP:*:Enabled:Services
"9573:TCP"=9573:TCP:*:Enabled:Services
"9574:TCP"=9574:TCP:*:Enabled:Services
"7424:TCP"=7424:TCP:*:Enabled:Services
"4462:TCP"=4462:TCP:*:Enabled:Services
"2012:TCP"=2012:TCP:*:Enabled:Services
"2524:TCP"=2524:TCP:*:Enabled:Services
"4899:TCP"=4899:TCP:*:Enabled:Services
"8298:TCP"=8298:TCP:*:Enabled:Services
"8958:TCP"=8958:TCP:*:Enabled:Services
"8959:TCP"=8959:TCP:*:Enabled:Services
"7489:TCP"=7489:TCP:*:Enabled:Services
"7490:TCP"=7490:TCP:*:Enabled:Services
"5287:TCP"=5287:TCP:*:Enabled:Services
"9074:TCP"=9074:TCP:*:Enabled:Services
"4349:TCP"=4349:TCP:*:Enabled:Services
"7198:TCP"=7198:TCP:*:Enabled:Services
"6349:TCP"=6349:TCP:*:Enabled:Services
"6350:TCP"=6350:TCP:*:Enabled:Services
"7210:TCP"=7210:TCP:*:Enabled:Services
"7209:TCP"=7209:TCP:*:Enabled:Services
"5302:TCP"=5302:TCP:*:Enabled:Services
"9104:TCP"=9104:TCP:*:Enabled:Services
"3960:TCP"=3960:TCP:*:Enabled:Services
"6420:TCP"=6420:TCP:*:Enabled:Services
"6068:TCP"=6068:TCP:*:Enabled:Services
"6069:TCP"=6069:TCP:*:Enabled:Services
"5631:TCP"=5631:TCP:*:Enabled:Services
"9762:TCP"=9762:TCP:*:Enabled:Services
"4834:TCP"=4834:TCP:*:Enabled:Services
"8168:TCP"=8168:TCP:*:Enabled:Services
"2585:TCP"=2585:TCP:*:Enabled:Services
"3670:TCP"=3670:TCP:*:Enabled:Services
"1694:TCP"=1694:TCP:*:Enabled:Services
"1888:TCP"=1888:TCP:*:Enabled:Services
"2818:TCP"=2818:TCP:*:Enabled:Services
"4136:TCP"=4136:TCP:*:Enabled:Services
"6989:TCP"=6989:TCP:*:Enabled:Services
"6990:TCP"=6990:TCP:*:Enabled:Services
"2677:TCP"=2677:TCP:*:Enabled:Services
"3854:TCP"=3854:TCP:*:Enabled:Services
"6146:TCP"=6146:TCP:*:Enabled:Services
"6147:TCP"=6147:TCP:*:Enabled:Services
"7865:TCP"=7865:TCP:*:Enabled:Services
"7866:TCP"=7866:TCP:*:Enabled:Services
"4318:TCP"=4318:TCP:*:Enabled:Services
"7136:TCP"=7136:TCP:*:Enabled:Services
"3943:TCP"=3943:TCP:*:Enabled:Services
"6386:TCP"=6386:TCP:*:Enabled:Services
"6459:TCP"=6459:TCP:*:Enabled:Services
"6460:TCP"=6460:TCP:*:Enabled:Services
"5365:TCP"=5365:TCP:*:Enabled:Services
"9230:TCP"=9230:TCP:*:Enabled:Services
"6412:TCP"=6412:TCP:*:Enabled:Services
"6413:TCP"=6413:TCP:*:Enabled:Services
"3974:TCP"=3974:TCP:*:Enabled:Services
"6448:TCP"=6448:TCP:*:Enabled:Services
"8418:TCP"=8418:TCP:*:Enabled:Services
"4959:TCP"=4959:TCP:*:Enabled:Services
"2552:TCP"=2552:TCP:*:Enabled:Services
"3604:TCP"=3604:TCP:*:Enabled:Services
"3740:TCP"=3740:TCP:*:Enabled:Services
"5980:TCP"=5980:TCP:*:Enabled:Services


~~ EOF ~~


And MBR

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000012d

Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF798B000 intelide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF74C0000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74A0000 fltMgr.sys
0xF748E000 sr.sys
0xF7477000 KSecDD.sys
0xF7464000 WudfPf.sys
0xF7B52000 Ntfs.sys
0xF7437000 NDIS.sys
0xF741D000 Mup.sys
0xF7647000 agp440.sys
0xBA7C8000 \SystemRoot\system32\DRIVERS\processr.sys
0xB9DF5000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB9DE1000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9DC4000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xB9D2B000 \SystemRoot\system32\DRIVERS\WMP110v2.sys
0xB9C56000 \SystemRoot\system32\DRIVERS\BCMDM.sys
0xB9C33000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77CF000 \SystemRoot\System32\Drivers\Modem.SYS
0xF77D7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA7A8000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7947000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9C1F000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA798000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF77EF000 \SystemRoot\system32\drivers\Afc.sys
0xBA788000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA778000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9BFB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB9BE3000 \SystemRoot\system32\drivers\ac97intc.sys
0xB9BBF000 \SystemRoot\system32\drivers\portcls.sys
0xBA768000 \SystemRoot\system32\drivers\drmk.sys
0xBA758000 \SystemRoot\system32\DRIVERS\jswscimd.sys
0xF7A6C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA748000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7FC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9BA8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA738000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7677000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7807000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9AF7000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7687000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF780F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7817000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7697000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79A7000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9A37000 \SystemRoot\system32\DRIVERS\update.sys
0xBA7E8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76B7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA710000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79BD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7727000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF79BF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7ABD000 \SystemRoot\System32\Drivers\Null.SYS
0xF79C1000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7737000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF773F000 \SystemRoot\System32\drivers\vga.sys
0xF79C3000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79C5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7747000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF774F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7917000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB7A81000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB7A28000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB7A00000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB79DE000 \SystemRoot\System32\drivers\afd.sys
0xF76F7000 \SystemRoot\System32\Drivers\Fips.SYS
0xB79B8000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7587000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF775F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7937000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7557000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF793F000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF776F000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xF7547000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB783C000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF7943000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB9B98000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB6B8F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79DB000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA7DC000 \SystemRoot\System32\drivers\Dxapi.sys
0xF779F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB9FC8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB7AF4000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xB5B83000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB511A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79D9000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB4F83000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7787000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB4CB8000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xB4BDB000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4F3B000 \SystemRoot\system32\drivers\sysaudio.sys
0xB49B4000 \SystemRoot\System32\Drivers\HTTP.sys
0xB064C000 \??\C:\DOCUME~1\Shane\LOCALS~1\Temp\kwtyrkog.sys
0xB350E000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xB7ADC000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB7AD4000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAD241000 \SystemRoot\system32\drivers\kmixer.sys
0xB34C2000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xB28FE000 \??\C:\DOCUME~1\Shane\LOCALS~1\Temp\mbr.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 35):
0 System Idle Process
4 System
852 C:\WINDOWS\system32\smss.exe
900 csrss.exe
924 C:\WINDOWS\system32\winlogon.exe
968 C:\WINDOWS\system32\services.exe
980 C:\WINDOWS\system32\lsass.exe
1136 C:\WINDOWS\system32\svchost.exe
1212 svchost.exe
1352 C:\WINDOWS\system32\svchost.exe
1392 C:\WINDOWS\system32\svchost.exe
1536 svchost.exe
1700 svchost.exe
1928 C:\WINDOWS\system32\spoolsv.exe
1988 svchost.exe
2020 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2044 C:\Program Files\Bonjour\mDNSResponder.exe
168 C:\Program Files\Linksys\WMP110\gtwpssrv.exe
204 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
232 C:\Program Files\Java\jre6\bin\jqs.exe
344 C:\WINDOWS\system32\svchost.exe
560 C:\Program Files\Linksys\WMP110\WLSngS.exe
1712 C:\Program Files\Canon\CAL\CALMAIN.exe
1856 alg.exe
1628 C:\WINDOWS\system32\svchost.exe
2156 C:\Program Files\iPod\bin\iPodService.exe
2812 C:\WINDOWS\explorer.exe
3896 C:\Program Files\Linksys\WMP110\WMP110.exe
2892 C:\Program Files\Java\jre6\bin\jusched.exe
2284 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
292 C:\Program Files\iTunes\iTunesHelper.exe
3516 C:\WINDOWS\system32\ctfmon.exe
4052 C:\Program Files\Mozilla Firefox\firefox.exe
1836 C:\Program Files\Mozilla Firefox\plugin-container.exe
724 C:\Documents and Settings\Shane\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800BB-22FJA0, Rev: 13.03G13
PhysicalDrive1 Model Number: Maxtor6E030J1, Rev: NAR61580

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
28 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

And Rootkit Unhooker!


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4276224 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 56.73 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xB9DF5000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 1900544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 )
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9C56000 C:\WINDOWS\system32\DRIVERS\BCMDM.sys 872448 bytes (BCM, Modem Device Driver)
0xB9D2B000 C:\WINDOWS\system32\DRIVERS\WMP110v2.sys 626688 bytes (Ralink Technology, Corp., Ralink 802.11 Wireless Adapter Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB783C000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xB9A37000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB7A28000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB4F83000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB49B4000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB511A000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7437000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAD241000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB7A00000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB79B8000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9BBF000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9BFB000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9C33000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB4CB8000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xB79DE000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF74A0000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9DC4000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 118784 bytes (Intel Corporation, NDIS 5 driver)
0xF741D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9BE3000 C:\WINDOWS\system32\drivers\ac97intc.sys 98304 bytes (Intel Corporation, Intel® Integrated Controller Hub Audio Driver)
0xF74C0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB6B8F000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7477000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB064C000 C:\DOCUME~1\Shane\LOCALS~1\Temp\kwtyrkog.sys 94208 bytes
0xB9BA8000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB4BDB000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9C1F000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9DE1000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB7A81000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7464000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF748E000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9AF7000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB9B98000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA788000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA7A8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA768000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA778000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB4F3B000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA758000 C:\WINDOWS\system32\DRIVERS\jswscimd.sys 57344 bytes (Atheros Communications, Inc., Wireless Intermediate Miniport Driver)
0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA748000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7547000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF7677000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7647000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF76F7000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA798000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA738000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76B7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7697000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7557000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7687000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB353A000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA7C8000 C:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7587000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF77EF000 C:\WINDOWS\system32\drivers\Afc.sys 32768 bytes (Arcsoft, Inc., Arcsoft® ASPI Shell)
0xF77CF000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF774F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF775F000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF77E7000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7737000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF776F000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB7ADC000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xB7AD4000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF77F7000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB28FE000 C:\DOCUME~1\Shane\LOCALS~1\Temp\mbr.sys 24576 bytes
0xF77D7000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7787000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF77FF000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF773F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB7AF4000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF7727000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7747000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF780F000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7817000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7807000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF779F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB34C2000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF793F000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA710000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xBA7E8000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB5B83000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7947000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB350E000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA7DC000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7937000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7943000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA7FC000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7917000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF79C1000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF79DB000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79BF000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79C3000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79D9000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79C5000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79A7000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79BD000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A6C000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB9FC8000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7ABD000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================




#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 29 September 2010 - 05:31 PM

Hello, erksage.

You definitely have signs of infection. You often notice when you're hacked by odd occurences (redirected searches, can't go to certain websites, computer behaving oddly, etc.), antivirus detections, etc. Your computer is always in danger when connected to the internet. If someone wrote a perfect virus...it wouldn't show any symptoms and you would never know if you are hacked. We can minimize the risk with safe habits, using security software, etc., but a connected computer always has some risk.

We'll start with Combofix. This likely won't help your search issue, so don't be discouraged, but it's the best tool at this point.

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 erksage

erksage
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 01 October 2010 - 11:59 PM

Hey! Guess what? I can Google Search again!! Also programs are running at par speed! Everything seems fixed! However, I want to be more secure than ever. What can we do? However, I don't know if the infection is all the way gone, for I cannot analyze logs.

Thank you for all your help, and here is the log!(just let me know what we do next!)





Attached Files

  • Attached File  log.txt   13.41KB   3 downloads


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 02 October 2010 - 11:18 AM

Hello, erksage.

We still have some work to go based on the logs.


We need to run Profiles by noahdfear.
  1. Download Profiles and save it to your desktop.
  2. Double-click profiles.exe and post the resulting log into your reply.


Step 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 erksage

erksage
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 03 October 2010 - 10:35 PM

My Combofix should still be saved as etavaresCF.exe correct? Just making sure before I scan, because I do not want to harm anything.

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 04 October 2010 - 05:59 PM

Yes...you can still drag CFscript.txt into etavaresCF.exe. Thanks for asking.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 erksage

erksage
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 05 October 2010 - 09:41 PM

Combofix asked me to update....but I declined. If that affects the logs, I will run it again.

PROFILES



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-776561741-789336058-1644491937-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-776561741-789336058-1644491937-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Eric

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-776561741-789336058-1644491937-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Roselyn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-776561741-789336058-1644491937-1007
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Danielle

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-776561741-789336058-1644491937-1008
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Shane

SystemRoot REG_SZ C:\WINDOWS

Attached Files

  • Attached File  CF.txt   11.09KB   2 downloads


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 06 October 2010 - 05:38 PM

Hello, erksage.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer. (It shouldn't.)
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

I will add...it looks like you had an MBR infection that was fixed, so if you had a recovery partition, it's likely gone anyway. Again, this should only remove the folders, close some open rogue ports and remove the leftover profile.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 erksage

erksage
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 09 October 2010 - 01:07 AM

Results


C:\Documents and Settings\Shane\My Documents\Downloads\HelpAsst_mebroot_fix.exe
Sat 10/09/2010 at 0:59:00.23

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"4550:TCP"=-
"7600:TCP"=-
"3389:TCP"=-
"6539:TCP"=-
"6540:TCP"=-
"7444:TCP"=-
"7445:TCP"=-
"8054:TCP"=-
"8055:TCP"=-
"6975:TCP"=-
"6976:TCP"=-
"4454:TCP"=-
"2977:TCP"=-
"7634:TCP"=-
"7635:TCP"=-
"2358:TCP"=-
"3216:TCP"=-
"6417:TCP"=-
"6416:TCP"=-
"5486:TCP"=-
"3493:TCP"=-
"8570:TCP"=-
"8571:TCP"=-
"7900:TCP"=-
"7901:TCP"=-
"7928:TCP"=-
"7929:TCP"=-
"2948:TCP"=-
"4396:TCP"=-
"9024:TCP"=-
"9023:TCP"=-
"8617:TCP"=-
"8618:TCP"=-
"9243:TCP"=-
"9244:TCP"=-
"9367:TCP"=-
"9368:TCP"=-
"9573:TCP"=-
"9574:TCP"=-
"7424:TCP"=-
"4462:TCP"=-
"2012:TCP"=-
"2524:TCP"=-
"4899:TCP"=-
"8298:TCP"=-
"8958:TCP"=-
"8959:TCP"=-
"7489:TCP"=-
"7490:TCP"=-
"5287:TCP"=-
"9074:TCP"=-
"4349:TCP"=-
"7198:TCP"=-
"6349:TCP"=-
"6350:TCP"=-
"7210:TCP"=-
"7209:TCP"=-
"5302:TCP"=-
"9104:TCP"=-
"3960:TCP"=-
"6420:TCP"=-
"6068:TCP"=-
"6069:TCP"=-
"5631:TCP"=-
"9762:TCP"=-
"4834:TCP"=-
"8168:TCP"=-
"2585:TCP"=-
"3670:TCP"=-
"1694:TCP"=-
"1888:TCP"=-
"2818:TCP"=-
"4136:TCP"=-
"6989:TCP"=-
"6990:TCP"=-
"2677:TCP"=-
"3854:TCP"=-
"6146:TCP"=-
"6147:TCP"=-
"7865:TCP"=-
"7866:TCP"=-
"4318:TCP"=-
"7136:TCP"=-
"3943:TCP"=-
"6386:TCP"=-
"6459:TCP"=-
"6460:TCP"=-
"5365:TCP"=-
"9230:TCP"=-
"6412:TCP"=-
"6413:TCP"=-
"3974:TCP"=-
"6448:TCP"=-
"8418:TCP"=-
"4959:TCP"=-
"2552:TCP"=-
"3604:TCP"=-
"5980:TCP"=-
"3740:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"4550:TCP"=-
"7600:TCP"=-
"3389:TCP"=-
"6539:TCP"=-
"6540:TCP"=-
"7444:TCP"=-
"7445:TCP"=-
"8054:TCP"=-
"8055:TCP"=-
"6975:TCP"=-
"6976:TCP"=-
"4454:TCP"=-
"2977:TCP"=-
"7634:TCP"=-
"7635:TCP"=-
"2358:TCP"=-
"3216:TCP"=-
"6417:TCP"=-
"6416:TCP"=-
"5486:TCP"=-
"3493:TCP"=-
"8570:TCP"=-
"8571:TCP"=-
"7900:TCP"=-
"7901:TCP"=-
"7928:TCP"=-
"7929:TCP"=-
"2948:TCP"=-
"4396:TCP"=-
"9024:TCP"=-
"9023:TCP"=-
"8617:TCP"=-
"8618:TCP"=-
"9243:TCP"=-
"9244:TCP"=-
"9367:TCP"=-
"9368:TCP"=-
"9573:TCP"=-
"9574:TCP"=-
"7424:TCP"=-
"4462:TCP"=-
"2012:TCP"=-
"2524:TCP"=-
"4899:TCP"=-
"8298:TCP"=-
"8958:TCP"=-
"8959:TCP"=-
"7489:TCP"=-
"7490:TCP"=-
"5287:TCP"=-
"9074:TCP"=-
"4349:TCP"=-
"7198:TCP"=-
"6349:TCP"=-
"6350:TCP"=-
"7210:TCP"=-
"7209:TCP"=-
"5302:TCP"=-
"9104:TCP"=-
"3960:TCP"=-
"6420:TCP"=-
"6068:TCP"=-
"6069:TCP"=-
"5631:TCP"=-
"9762:TCP"=-
"4834:TCP"=-
"8168:TCP"=-
"2585:TCP"=-
"3670:TCP"=-
"1694:TCP"=-
"1888:TCP"=-
"2818:TCP"=-
"4136:TCP"=-
"6989:TCP"=-
"6990:TCP"=-
"2677:TCP"=-
"3854:TCP"=-
"6146:TCP"=-
"6147:TCP"=-
"7865:TCP"=-
"7866:TCP"=-
"4318:TCP"=-
"7136:TCP"=-
"3943:TCP"=-
"6386:TCP"=-
"6459:TCP"=-
"6460:TCP"=-
"5365:TCP"=-
"9230:TCP"=-
"6412:TCP"=-
"6413:TCP"=-
"3974:TCP"=-
"6448:TCP"=-
"8418:TCP"=-
"4959:TCP"=-
"2552:TCP"=-
"3604:TCP"=-
"3740:TCP"=-
"5980:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-776561741-789336058-1644491937-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 10/09/2010 at 1:05:03.79

Account active No
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 09 October 2010 - 06:40 AM

Hello, erksage.

OK, looking better. Let's get a second opinion and update some programs.



Step 1

Your Adobe Reader software is out of date and has known security holes. Please launch it, go to Help --> Check for Updates and let it update the main program if needed. Updates the languages and/or dictionaries is optional.



Step 2

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 21 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.



Step 3

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\iscflash.sys -- (iscFlash)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O4 - HKU\S-1-5-21-776561741-789336058-1644491937-1008..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe File not found
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
    O36 - AppCertDlls: clicprep - (C:\WINDOWS\system32\fsutMRT.dll) - C:\WINDOWS\System32\fsutMRT.dll File not found
    :Commands
    [ResetHosts]
    [EmptyTemp]
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. A report will open, copy and paste it in a reply here.



Step 4

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 5

Please go to the Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Note: Kaspersky online scan may take time to complete, please be patient.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users