Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirection and rootkit activity


  • This topic is locked This topic is locked
11 replies to this topic

#1 Irelanda

Irelanda

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 29 September 2010 - 01:07 AM

Browser's both IE and Firefox exhibiting random redirects to un-welcome pages. Always happens when "wind0wsupd@te" is in the address line, even when typed into google search field.

I have thrown all sorts of scanners at it finding some bits but not removing the redirection stuff.
I've got a resonably high experience level but this has got me stumped.

Logs attached per Preparation Guide


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jackaroo Motor Inn at 14:20:35.45 on Wed 29/09/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.606 [GMT 10:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\explorer.exe
C:\WorkingFiles\AV Removal\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ninemsn.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: BigPond Wireless Broadband 2.0 Auto Dial: {db92ec3f-697d-4c3b-9a3b-3abbd23d4a85} - c:\program files\telstra\bigpond wireless broadband 2.0\bpwbb2ad.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
LSP: c:\windows\system32\VetRedir.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 setup_9.0.0.722_24.09.2010_00-27drv;setup_9.0.0.722_24.09.2010_00-27drv;c:\windows\system32\drivers\0044336.sys --> c:\windows\system32\drivers\0044336.sys [?]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-12-20 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-12-20 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2010-6-4 746216]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-12-20 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-12-20 32240]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-12-20 144960]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-12-20 238928]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-3-12 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2010-6-4 130280]
S3 kwkxusb;Kyocera Wireless USB CDMA Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [2005-3-24 41344]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-8-24 7680]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1c.tmp --> c:\windows\system32\1C.tmp [?]

=============== Created Last 30 ================

2010-09-29 03:33:40 0 d-s---w- c:\windows\Cookies
2010-09-29 03:06:52 73472 -c--a-w- c:\windows\system32\dllcache\sr.vir
2010-09-29 03:06:52 73472 ----a-w- c:\windows\system32\drivers\sr.sys
2010-09-29 01:16:36 49936 ----a-w- c:\windows\system32\SeCEdit.exe
2010-09-29 01:16:36 29968 ----a-w- c:\windows\system32\Rshx32_5.dll
2010-09-29 01:16:36 242448 ----a-w- c:\windows\system32\scedll.dll
2010-09-29 01:16:33 384784 ----a-w- c:\windows\system32\wsecedit.dll
2010-09-28 12:13:17 0 d-----w- c:\program files\Sophos
2010-09-28 08:08:38 0 d-----w- c:\program files\CleanUp!
2010-09-28 04:12:55 0 d-----w- c:\program files\Enigma Software Group
2010-09-28 04:12:39 0 d-----w- c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP
2010-09-28 03:18:30 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-28 02:56:48 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-09-24 03:25:31 0 d-----w- c:\program files\Panda Security
2010-09-24 03:13:28 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-09-24 03:13:28 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-09-23 23:52:46 0 ----a-w- c:\documents and settings\jackaroo motor inn\defogger_reenable
2010-09-17 11:31:05 0 d-----w- c:\windows\system32\wbem\Repository.002
2010-09-17 11:30:24 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-09-17 11:30:24 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-09-17 11:30:19 380416 ------w- c:\windows\system32\irprops.cpl
2010-09-17 11:30:17 28672 ------w- c:\windows\system32\verclsid.exe
2010-09-17 11:30:16 162304 ------w- c:\windows\system32\wuaucpl.cpl
2010-09-17 07:52:58 0 d-----w- c:\program files\Trend Micro
2010-09-17 06:10:38 0 d-sha-r- C:\cmdcons
2010-09-17 06:07:28 98816 ----a-w- c:\windows\sed.exe
2010-09-17 06:07:28 77312 ----a-w- c:\windows\MBR.exe
2010-09-17 06:07:28 256512 ----a-w- c:\windows\PEV.exe
2010-09-17 06:07:28 161792 ----a-w- c:\windows\SWREG.exe
2010-09-17 04:49:11 711168 ----a-w- c:\windows\is-5I10H.exe
2010-09-17 04:49:11 399 ----a-w- c:\windows\is-5I10H.lst
2010-09-17 04:49:11 10562 ----a-w- c:\windows\is-5I10H.msg
2010-09-17 04:47:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 04:47:29 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 04:47:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 04:22:55 12626 ----a-w- c:\windows\system32\wpa.bak
2010-09-17 04:11:58 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2010-09-17 04:10:46 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-09-17 04:09:53 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-09-17 04:08:59 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-09-17 04:08:59 78336 -c--a-w- c:\windows\system32\dllcache\chajei.ime
2010-09-17 04:08:59 13312 -c--a-w- c:\windows\system32\dllcache\chglogon.exe
2010-09-17 04:08:56 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2010-09-17 04:08:55 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2010-09-17 04:08:55 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-09-17 04:08:35 312832 -c--a-w- c:\windows\system32\dllcache\EXCH_aqueue.dll
2010-09-17 04:08:34 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-09-17 04:08:30 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-09-17 04:08:19 2134528 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2010-09-17 04:08:19 175104 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpadm.dll
2010-09-17 04:06:15 25065 ----a-w- c:\windows\system32\wmpscheme.xml
2010-09-17 04:06:05 299552 ----a-w- c:\windows\WMSysPrx.prx
2010-09-17 04:03:26 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-09-17 04:03:13 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-09-17 04:03:13 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-09-17 04:03:13 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-09-17 04:03:13 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-09-17 04:01:59 67584 ----a-w- c:\windows\system32\srclient.dll
2010-09-17 03:58:58 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2010-09-17 03:56:48 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-09-17 03:56:43 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-09-17 03:54:42 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-09-17 03:54:13 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-09-17 03:53:33 606684 ----a-w- c:\windows\system32\drivers\ltmdmnt.sys
2010-09-17 03:52:52 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-09-17 03:52:51 129536 ----a-w- c:\windows\system32\ksproxy.ax
2010-09-17 03:52:10 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-09-17 03:49:12 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-09-17 03:49:12 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-09-17 03:49:12 146432 ----a-w- c:\windows\system\winspool.drv
2010-09-17 03:49:12 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-09-17 03:49:12 13312 ----a-w- c:\windows\system32\irclass.dll
2010-09-17 03:49:12 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2010-09-17 03:49:09 74752 ----a-w- c:\windows\system32\storprop.dll

==================== Find3M ====================

2010-09-17 04:01:07 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-13 05:52:34 12186 ----a-w- c:\docume~1\jackar~1\applic~1\wklnhst.dat
2008-10-22 21:17:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102320081024\index.dat

============= FINISH: 14:23:13.75 ===============

I was even unable to post this with "wind0wsupd@te" in the text, it caused a

The connection was reset
The connection to the server was reset while the page was loading.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

page to be displayed

seems to be some kind of transparent proxy active

Both browser proxy set to "no proxy"

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 29 September 2010 - 01:15 AM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 AM

Posted 03 October 2010 - 11:09 AM

Hello Irelanda,

Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Step 3

Please do the following.
Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    CODE
    Drivers to disable:
    setup_9.0.0.722_24.09.2010_00-27drv

    Drivers to delete:
    setup_9.0.0.722_24.09.2010_00-27drv

    Files to delete:
    c:\windows\system32\DRIVERS\0044336.sys
    c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP

  • In the avenger window, click the Paste Script from Clipboard icon, button.
  • Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Step 4
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".
Step 5
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.
Then click the Scanner sub-tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 6
Download and SAVE HijackThis

Save the HJT to your desktop or the folder of your choice, then navigate to that folder and double-click Hijackthis.exe to start it.
Do a "Scan and Save log".


Reply with copy of contents (Copy & Paste) of C:\Avenger.txt
the MBAM scan log
and the HijackThis log

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 03 October 2010 - 11:13 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 Irelanda

Irelanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 03 October 2010 - 10:12 PM

Maurice

still unable to browse to "wind0wsupd@te.microsoft.com" with out being redirected to "CONNECTION WAS RESET Page"

ie. selecting wind0ws upd@te from tools in IE opens a page in Firefox with "The connection was reset"

If I enter Wind0wsupd@te in to google it redirects to google as if you hadn't pressed the search button all other searchs seem to work ????


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "setup_9.0.0.722_24.09.2010_00-27drv" disabled successfully.
Driver "setup_9.0.0.722_24.09.2010_00-27drv" deleted successfully.

Error: file "c:\windows\system32\DRIVERS\0044336.sys" not found!
Deletion of file "c:\windows\system32\DRIVERS\0044336.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: "c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP" is a folder, not a file!
Deletion of file "c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Completed script processing.

*******************

Finished! Terminate.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4736

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/10/2010 12:50:46 PM
mbam-log-2010-10-04 (12-50-46).txt

Scan type: Quick scan
Objects scanned: 144296
Time elapsed: 16 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:57:56 PM, on 4/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WorkingFiles\AV Removal\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\bpwbb2ad.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 2986 bytes



#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 AM

Posted 04 October 2010 - 08:47 AM

Hello Irelanda,

Until we are confident of having removed malwares, do NOT select Windows Update either from menus or by manual visit with your IE browser.
"wind0wsupd@teDOTmicrosoftDOTcom" is NOT the legitimate address.

You will want to print out or copy these instructions to Notepad for offline reference!
If you are a casual viewer, do NOT try this on your system!
If you are not Irelanda and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.

Close any of your open programs while you run these tools. Some of these utility programs will do a Windows Restart. Do have plenty of patience.

Step 1
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.
    Link 2
    Link 3
    Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
  • If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL
Step 2
Download OTL by OldTimer and SAVE to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    *****************************************************************
    :processes

    :files
    c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP
    recycler /alldrives

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]

    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 3
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Double-Click on TDSSKiller.exe to run the application, then on Start Scan.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Step 4
Please close any of your open windows/programs and exit; saving any open work you have.
I'd like to have you do a special run of OTL to generate some searches & a new log-report.
  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    *****************************************************************
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    themeui.dll
    beep.sys
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on Run Scan.
  • The scan won't take long.
    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of just OTL.txt
Step 5
Then copy/paste the following into your post (in order):
  • the contents of OTL MovedFiles log
  • the contents of TDSSKILLER log
  • the contents of OTL.txt log
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 04 October 2010 - 08:50 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 Irelanda

Irelanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 04 October 2010 - 06:26 PM

Maurice

i wasn't trying to do a winw0wsupd@te just testing if redirection was still active {a little intrigued as to how it was filtering even google searches and redirecting to a blank search page }

Redirection nows seems to inactive

A couple of issues occured along the way

after initial OTL with supplied script, reboot was required and allowed to happen, booted ok but only blank screen and mouse arrow came up, after a long while I rebooted into safe mode , same thing. forced OTL to run manually from taskmanager {explorer would not run manually} and was given notepad with log file. machine rebooted OK after this.

Second OTL script produced errors relating to context ???

Regards

Guy


All processes killed
========== PROCESSES ==========
========== FILES ==========
File\Folder c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP not found.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-500 folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\minidumps folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\GoogleToolbarData\feeds\gtbstoolbar-google-com_J66T77NJDBMW4FEUU7FA folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\GoogleToolbarData\feeds\gtbSearchCalendar folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\GoogleToolbarData\feeds folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\GoogleToolbarData\components folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\GoogleToolbarData folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\META-INF folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\lib folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\defaults\preferences folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\defaults\custombuttons folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\defaults\contenthandling folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\defaults\components folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\defaults folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\chrome folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\defaults\preferences folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\defaults folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\chrome folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\extensions folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\chrome folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default\bookmarkbackups folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4\8xcxxc7r.default folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc4 folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc3\xfem73rf.default\minidumps folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc3\xfem73rf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc3\xfem73rf.default\extensions\staged-xpis\{20a82645-c095-46ed-80e3-08825760534b} folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc3\xfem73rf.default\extensions\staged-xpis folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc3\xfem73rf.default\extensions folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc3\xfem73rf.default\chrome folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc3\xfem73rf.default\bookmarkbackups folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc3\xfem73rf.default folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008\Dc3 folder moved successfully.
C:\RECYCLER\S-1-5-21-1088892618-2822370105-2951399526-1008 folder moved successfully.
C:\RECYCLER folder moved successfully.
recycler not found in D:\
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jackaroo Motor Inn
->Temp folder emptied: 2793680 bytes
->Temporary Internet Files folder emptied: 5107301 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 15728686 bytes
->Flash cache emptied: 752 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Nick

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 23.00 mb

Restore point Set: OTL Restore Point (0)

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: Jackaroo Motor Inn
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Nick

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 10052010_085440

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

2010/10/05 09:08:24.0421 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/05 09:08:24.0421 ================================================================================
2010/10/05 09:08:24.0421 SystemInfo:
2010/10/05 09:08:24.0421
2010/10/05 09:08:24.0421 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/05 09:08:24.0421 Product type: Workstation
2010/10/05 09:08:24.0421 ComputerName: WENDY
2010/10/05 09:08:24.0421 UserName: Jackaroo Motor Inn
2010/10/05 09:08:24.0421 Windows directory: C:\WINDOWS
2010/10/05 09:08:24.0421 System windows directory: C:\WINDOWS
2010/10/05 09:08:24.0421 Processor architecture: Intel x86
2010/10/05 09:08:24.0421 Number of processors: 2
2010/10/05 09:08:24.0421 Page size: 0x1000
2010/10/05 09:08:24.0421 Boot type: Normal boot
2010/10/05 09:08:24.0421 ================================================================================
2010/10/05 09:08:24.0546 Initialize success
2010/10/05 09:08:27.0156 ================================================================================
2010/10/05 09:08:27.0156 Scan started
2010/10/05 09:08:27.0156 Mode: Manual;
2010/10/05 09:08:27.0156 ================================================================================
2010/10/05 09:08:28.0718 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/05 09:08:28.0812 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/05 09:08:28.0984 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/05 09:08:29.0078 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2010/10/05 09:08:29.0250 AgereSoftModem (89ec5b941f5a197ca64cdac5fa51c018) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/10/05 09:08:29.0796 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2010/10/05 09:08:30.0078 ALCXWDM (4d4593c10f2c90d48da9fd1b14ace825) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/10/05 09:08:30.0453 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/05 09:08:30.0531 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/05 09:08:30.0718 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/05 09:08:30.0843 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/05 09:08:30.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/05 09:08:31.0062 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/05 09:08:31.0234 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/05 09:08:31.0328 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/05 09:08:31.0421 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2010/10/05 09:08:31.0500 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/05 09:08:31.0906 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/05 09:08:32.0031 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/05 09:08:32.0203 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/05 09:08:32.0343 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/05 09:08:32.0453 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/05 09:08:32.0656 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/05 09:08:32.0750 ENETHUSB (8c3f3914f1c1e3e3ffe77190a4c9d735) C:\WINDOWS\system32\DRIVERS\enethusb.sys
2010/10/05 09:08:32.0875 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/05 09:08:32.0984 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/05 09:08:33.0031 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/05 09:08:33.0125 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/05 09:08:33.0234 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/05 09:08:33.0328 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/05 09:08:33.0421 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/05 09:08:33.0562 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/05 09:08:33.0656 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/05 09:08:33.0796 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/10/05 09:08:33.0890 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/10/05 09:08:33.0968 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/10/05 09:08:34.0078 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/05 09:08:34.0312 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/05 09:08:34.0375 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/05 09:08:34.0609 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/05 09:08:34.0703 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/05 09:08:34.0796 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/05 09:08:34.0890 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/05 09:08:34.0968 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/05 09:08:35.0062 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/05 09:08:35.0125 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/05 09:08:35.0265 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/05 09:08:35.0312 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/05 09:08:35.0453 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/05 09:08:35.0562 KeyMaestro (0a5578183dfdcd7c38db8b8e00cb62da) C:\WINDOWS\system32\DRIVERS\Maestro1.sys
2010/10/05 09:08:35.0687 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/05 09:08:35.0781 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/05 09:08:35.0859 kwkxusb (650675fa22994d845b00c2b5abdbe0a9) C:\WINDOWS\system32\DRIVERS\kwusb2k.sys
2010/10/05 09:08:35.0968 L8042pr2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
2010/10/05 09:08:36.0125 LHidFlt2 (3c357dfdbbf2b4b01aa4b9c8a26e4416) C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
2010/10/05 09:08:36.0203 LHidUsb (ffb851b1b2f6596b7d3182b977a85206) C:\WINDOWS\system32\Drivers\LHidUsb.Sys
2010/10/05 09:08:36.0328 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
2010/10/05 09:08:36.0453 ltmodem5 (9ee18a5a45552673a67532ea37370377) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
2010/10/05 09:08:36.0640 massfilter (59f57b06d1e3c7a3f22d62c7c5b4c3c3) C:\WINDOWS\system32\drivers\massfilter.sys
2010/10/05 09:08:36.0796 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/05 09:08:36.0906 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/05 09:08:37.0000 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/05 09:08:37.0109 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/05 09:08:37.0203 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/05 09:08:37.0312 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/05 09:08:37.0468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/05 09:08:37.0625 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/05 09:08:37.0781 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/05 09:08:37.0843 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/05 09:08:37.0953 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/05 09:08:38.0031 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/05 09:08:38.0156 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/05 09:08:38.0250 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/05 09:08:38.0359 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/05 09:08:38.0453 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/05 09:08:38.0546 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/05 09:08:38.0609 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/05 09:08:38.0718 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/05 09:08:38.0812 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/05 09:08:38.0937 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/05 09:08:39.0093 nmwcd (c82f4cc10ad315b6d6bcb14d0a7cad66) C:\WINDOWS\system32\drivers\ccdcmb.sys
2010/10/05 09:08:39.0203 nmwcdc (60ef5f5621d7832f00a3f190a0c905e2) C:\WINDOWS\system32\drivers\ccdcmbo.sys
2010/10/05 09:08:39.0328 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/05 09:08:39.0437 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/05 09:08:39.0640 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/05 09:08:39.0734 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/05 09:08:39.0828 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/05 09:08:39.0953 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/05 09:08:40.0046 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/05 09:08:40.0140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/05 09:08:40.0218 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
2010/10/05 09:08:40.0390 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/05 09:08:40.0593 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/10/05 09:08:40.0718 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/05 09:08:41.0234 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/05 09:08:41.0328 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/05 09:08:41.0421 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/05 09:08:41.0562 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/05 09:08:42.0031 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/05 09:08:42.0156 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/05 09:08:42.0218 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/05 09:08:42.0359 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/05 09:08:42.0500 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/05 09:08:42.0640 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/05 09:08:42.0781 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/05 09:08:42.0859 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/05 09:08:43.0000 SCDEmu (4eacdfca5503c1050eb3f5251b9f5274) C:\WINDOWS\system32\drivers\SCDEmu.sys
2010/10/05 09:08:43.0187 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/05 09:08:43.0281 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/05 09:08:43.0406 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/05 09:08:43.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/10/05 09:08:43.0703 SiS315 (32f29cdcab5b20d62bb84810662fbdbc) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
2010/10/05 09:08:43.0796 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
2010/10/05 09:08:43.0859 SiSide (621efc0f6bf3aa088af6bb0fa303243b) C:\WINDOWS\system32\DRIVERS\siside.sys
2010/10/05 09:08:43.0859 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\siside.sys. Real md5: 621efc0f6bf3aa088af6bb0fa303243b, Fake md5: b4485881bd8aed9b157a2e6cf43c2d51
2010/10/05 09:08:43.0875 SiSide - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/05 09:08:44.0031 SiSkp (15da420e7314941aaae4b199d9cf342b) C:\WINDOWS\system32\DRIVERS\srvkp.sys
2010/10/05 09:08:44.0125 SISNIC (8204c49cde112f7b9c2f15707fe2cc5a) C:\WINDOWS\system32\DRIVERS\sisnic.sys
2010/10/05 09:08:44.0390 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/05 09:08:44.0468 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/05 09:08:44.0593 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/05 09:08:44.0718 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/05 09:08:44.0812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/05 09:08:45.0250 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/05 09:08:45.0421 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/05 09:08:45.0625 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/05 09:08:45.0953 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/05 09:08:46.0296 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/05 09:08:46.0953 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
2010/10/05 09:08:47.0187 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2010/10/05 09:08:47.0609 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/05 09:08:47.0812 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/05 09:08:47.0968 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/05 09:08:48.0062 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/05 09:08:48.0156 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/05 09:08:48.0234 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/05 09:08:48.0328 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/05 09:08:48.0406 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/05 09:08:48.0500 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/05 09:08:48.0625 VET-FILT (daadb622164e93376b31598c053a9e87) C:\WINDOWS\system32\drivers\VET-FILT.sys
2010/10/05 09:08:48.0687 VET-REC (66747d67066e29b24363d5537b93d294) C:\WINDOWS\system32\drivers\VET-REC.sys
2010/10/05 09:08:48.0796 VETEBOOT (c079f80582c31728029f3efcdfeaf221) C:\WINDOWS\system32\drivers\VETEBOOT.sys
2010/10/05 09:08:48.0921 VETEFILE (31bab965e7af8295c22f641401d622b3) C:\WINDOWS\system32\drivers\VETEFILE.sys
2010/10/05 09:08:49.0031 VETFDDNT (10545ed2f206c922eb02e522b1a3fa75) C:\WINDOWS\system32\drivers\VETFDDNT.sys
2010/10/05 09:08:49.0125 VETMONNT (77ef6a724334313b808fb6fe36b57be6) C:\WINDOWS\system32\drivers\VETMONNT.sys
2010/10/05 09:08:49.0218 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/05 09:08:49.0359 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/05 09:08:49.0484 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/05 09:08:49.0625 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/10/05 09:08:49.0812 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/05 09:08:50.0031 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/05 09:08:50.0140 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/05 09:08:50.0406 ================================================================================
2010/10/05 09:08:50.0406 Scan finished
2010/10/05 09:08:50.0406 ================================================================================
2010/10/05 09:08:50.0437 Detected object count: 1
2010/10/05 09:09:33.0953 SiSide (621efc0f6bf3aa088af6bb0fa303243b) C:\WINDOWS\system32\DRIVERS\siside.sys
2010/10/05 09:09:33.0953 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\siside.sys. Real md5: 621efc0f6bf3aa088af6bb0fa303243b, Fake md5: b4485881bd8aed9b157a2e6cf43c2d51
2010/10/05 09:09:35.0015 Backup copy found, using it..
2010/10/05 09:09:35.0062 C:\WINDOWS\system32\DRIVERS\siside.sys - will be cured after reboot
2010/10/05 09:09:35.0062 Rootkit.Win32.TDSS.tdl3(SiSide) - User select action: Cure
2010/10/05 09:09:41.0796 Deinitialize success




Error: Unable to interpret <netsvcs> in the current context!
Error: Unable to interpret <msconfig> in the current context!
Error: Unable to interpret <safebootminimal> in the current context!
Error: Unable to interpret <safebootnetwork> in the current context!
Error: Unable to interpret <activex> in the current context!
Error: Unable to interpret <drivers32> in the current context!
Error: Unable to interpret <%ALLUSERSPROFILE%\Application Data\*.> in the current context!
Error: Unable to interpret <%ALLUSERSPROFILE%\Application Data\*.exe /s> in the current context!
Error: Unable to interpret <%APPDATA%\*.> in the current context!
Error: Unable to interpret <%APPDATA%\*.exe /s> in the current context!
Error: Unable to interpret <%SYSTEMDRIVE%\*.exe> in the current context!
Error: Unable to interpret </md5start> in the current context!
Error: Unable to interpret <themeui.dll> in the current context!
Error: Unable to interpret <beep.sys> in the current context!
Error: Unable to interpret <userinit.exe> in the current context!
Error: Unable to interpret <eventlog.dll> in the current context!
Error: Unable to interpret <scecli.dll> in the current context!
Error: Unable to interpret <netlogon.dll> in the current context!
Error: Unable to interpret <cngaudit.dll> in the current context!
Error: Unable to interpret <sceclt.dll> in the current context!
Error: Unable to interpret <ntelogon.dll> in the current context!
Error: Unable to interpret <logevent.dll> in the current context!
Error: Unable to interpret <iaStor.sys> in the current context!
Error: Unable to interpret <nvstor.sys> in the current context!
Error: Unable to interpret <atapi.sys> in the current context!
Error: Unable to interpret <IdeChnDr.sys> in the current context!
Error: Unable to interpret <viasraid.sys> in the current context!
Error: Unable to interpret <AGP440.sys> in the current context!
Error: Unable to interpret <vaxscsi.sys> in the current context!
Error: Unable to interpret <nvatabus.sys> in the current context!
Error: Unable to interpret <viamraid.sys> in the current context!
Error: Unable to interpret <nvata.sys> in the current context!
Error: Unable to interpret <nvgts.sys> in the current context!
Error: Unable to interpret <iastorv.sys> in the current context!
Error: Unable to interpret <ViPrt.sys> in the current context!
Error: Unable to interpret <eNetHook.dll> in the current context!
Error: Unable to interpret <ahcix86.sys> in the current context!
Error: Unable to interpret <KR10N.sys> in the current context!
Error: Unable to interpret <nvstor32.sys> in the current context!
Error: Unable to interpret <ahcix86s.sys> in the current context!
Error: Unable to interpret </md5stop> in the current context!
Error: Unable to interpret <%systemroot%\system32\drivers\*.sys /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\System32\config\*.sav> in the current context!
Error: Unable to interpret <%systemroot%\*. /mp /s> in the current context!
Error: Unable to interpret <%systemroot%\system32\*.dll /lockedfiles> in the current context!
Error: Unable to interpret <CREATERESTOREPOINT> in the current context!

OTL by OldTimer - Version 3.2.14.1 log created on 10052010_091423

Edited by Irelanda, 04 October 2010 - 06:33 PM.


#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 AM

Posted 04 October 2010 - 08:14 PM

Let's give one more try to running a special scan with OTL.

Please close any of your open windows/programs and exit; saving any open work you have.
I'd like to have you do a special run of OTL to generate some searches & a new log-report.
  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    *****************************************************************
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    siside.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on Run Scan.
  • The scan won't take long.
    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of just OTL.txt




~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 Irelanda

Irelanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 04 October 2010 - 09:16 PM

Maurice

Sorry must have run a Run/FIX not a Run/Scan per you instuctions for the Second OTL run

OTL logfile created on: 5/10/2010 12:13:31 PM - Run 2
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Jackaroo Motor Inn\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

959.00 Mb Total Physical Memory | 477.00 Mb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 99.70 Gb Free Space | 89.18% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WENDY
Current User Name: Jackaroo Motor Inn
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/10/05 08:04:46 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\OTL.exe
PRC - [2010/09/28 18:16:20 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/06/11 20:02:23 | 000,238,928 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
PRC - [2010/06/11 20:02:23 | 000,226,640 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
PRC - [2009/08/13 22:03:34 | 000,214,256 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
PRC - [2009/08/13 22:03:33 | 000,177,392 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/12/20 16:10:10 | 000,144,960 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
PRC - [2008/12/20 16:10:08 | 000,218,376 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
PRC - [2008/12/20 16:10:08 | 000,189,704 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 11:10:22 | 000,280,080 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe


========== Modules (SafeList) ==========

MOD - [2010/10/05 08:04:46 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\OTL.exe
MOD - [2008/04/14 05:41:52 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cabinet.dll
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\mspmspsv.dll -- (WmdmPmSp)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/11 20:02:23 | 000,238,928 | ---- | M] (CA, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe -- (VETMSGNT)
SRV - [2009/08/13 22:03:34 | 000,214,256 | ---- | M] (CA, Inc.) [On_Demand | Running] -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/12/20 16:10:10 | 000,144,960 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe -- (CAISafe)
SRV - [2008/12/20 16:10:08 | 000,189,704 | ---- | M] (CA, Inc.) [On_Demand | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe -- (PPCtlPriv)
SRV - [2007/01/04 11:10:22 | 000,280,080 | ---- | M] (CA, Inc.) [Auto | Running] -- C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe -- (ITMRTSVC)
SRV - [2004/03/18 15:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\DRIVERS\SiSRaid.sys -- (SiSRaid)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\sisperf.sys -- (sisperf)
DRV - File not found [File_System | Boot | Stopped] -- C:\WINDOWS\System32\drivers\sisidex.sys -- (sisidex)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\sdcplh.sys -- (sdcplh)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\1C.tmp -- (MEMSWEEP2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Irelanda\catchme.sys -- (catchme)
DRV - [2010/10/05 09:10:57 | 000,004,096 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\siside.sys -- (SiSide)
DRV - [2010/06/04 03:54:06 | 000,746,216 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vetefile.sys -- (VETEFILE)
DRV - [2010/06/04 03:54:06 | 000,130,280 | ---- | M] (Computer Associates International, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\veteboot.sys -- (VETEBOOT)
DRV - [2009/12/02 06:58:55 | 000,032,240 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vetmonnt.sys -- (VETMONNT)
DRV - [2009/12/02 06:58:55 | 000,026,352 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vet-filt.sys -- (VET-FILT)
DRV - [2009/12/02 06:58:55 | 000,021,488 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vetfddnt.sys -- (VETFDDNT)
DRV - [2009/12/02 06:58:55 | 000,021,104 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vet-rec.sys -- (VET-REC)
DRV - [2008/08/22 20:56:28 | 000,007,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/06/27 09:52:02 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2008/05/02 09:58:14 | 000,020,864 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2008/05/02 09:58:12 | 000,017,536 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2008/04/13 23:53:36 | 000,606,684 | ---- | M] (LT) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2006/09/09 19:31:39 | 000,030,988 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2004/12/17 17:58:59 | 000,028,005 | ---- | M] (Efficient Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\enethusb.sys -- (ENETHUSB)
DRV - [2004/08/05 17:58:14 | 000,220,672 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2004/08/05 17:57:56 | 000,012,416 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2004/08/02 23:09:18 | 000,635,281 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/04/14 05:46:42 | 000,041,344 | R--- | M] (CodeMachine Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\kwusb2k.sys -- (kwkxusb)
DRV - [2004/03/08 11:55:50 | 000,013,567 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\CDRBSDRV.SYS -- (cdrbsdrv)
DRV - [2004/02/24 13:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/12/17 08:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)
DRV - [2003/12/17 08:50:00 | 000,051,729 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042pr2.Sys -- (L8042pr2)
DRV - [2003/12/17 08:50:00 | 000,037,887 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHIDUSB.SYS -- (LHidUsb)
DRV - [2003/12/17 08:50:00 | 000,025,505 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHIDFLT2.SYS -- (LHidFlt2)
DRV - [2003/07/18 11:58:20 | 000,036,992 | R--- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2003/01/29 15:12:02 | 000,007,818 | ---- | M] (BTC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Maestro1.sys -- (KeyMaestro)
DRV - [2002/07/11 01:39:34 | 000,032,256 | R--- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2002/04/19 12:18:02 | 001,114,432 | R--- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2001/08/17 12:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/29 11:30:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/28 18:16:34 | 000,000,000 | ---D | M]

[2010/09/17 16:04:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Mozilla\Extensions
[2010/10/05 09:17:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Mozilla\Firefox\Profiles\x8t5wh7w.default\extensions
[2010/10/04 12:59:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Mozilla\Firefox\Profiles\x8t5wh7w.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/10/05 09:17:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006/09/30 13:21:00 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/09/28 18:16:26 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/09/28 18:16:26 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/09/28 18:16:26 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/09/28 18:16:26 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/10/05 08:54:43 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (BigPond Wireless Broadband 2.0 Auto Dial) - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\bpwbb2ad.dll (Telstra)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll File not found
O4 - HKLM..\Run: [CAVRID] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe (CA, Inc.)
O4 - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jackaroo Motor Inn\My Documents\My Pictures\jackaroo.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jackaroo Motor Inn\My Documents\My Pictures\jackaroo.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/13 12:23:19 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - C:\WINDOWS\System32\mspmspsv.dll File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - (Adobe Systems Incorporated)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpReg: BigPondWirelessBroadbandCM - hkey= - key= - C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe (Telstra)
MsConfig - StartUpReg: HP Component Manager - hkey= - key= - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: LanguageShortcut - hkey= - key= - C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
MsConfig - StartUpReg: Malwarebytes Anti-Malware (reboot) - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
MsConfig - StartUpReg: RemoteControl - hkey= - key= - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
MsConfig - StartUpReg: SoundMan - hkey= - key= - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: klmdb.sys - Driver
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: klmdb.sys - Driver
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} - Reg Error: Value error.
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Macromedia Shockwave Director 10.1.1
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1.1
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/10/05 09:08:19 | 001,325,656 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\TDSSKiller.exe
[2010/10/05 08:54:51 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/10/05 08:54:40 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/10/05 08:52:06 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\OTL.exe
[2010/10/04 12:16:01 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/10/04 12:07:40 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/09/29 13:33:40 | 000,000,000 | --SD | C] -- C:\WINDOWS\Cookies
[2010/09/29 13:31:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/09/29 13:06:52 | 000,073,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sr.vir
[2010/09/29 13:02:05 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/29 11:16:36 | 000,242,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\scedll.dll
[2010/09/29 11:16:36 | 000,049,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\SeCEdit.exe
[2010/09/29 11:16:36 | 000,029,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Rshx32_5.dll
[2010/09/29 11:16:33 | 000,384,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wsecedit.dll
[2010/09/28 22:13:17 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/09/28 18:08:38 | 000,000,000 | ---D | C] -- C:\Program Files\CleanUp!
[2010/09/28 14:12:55 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/09/28 13:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/09/28 12:56:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/09/24 13:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/09/24 13:13:28 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidserv.dll
[2010/09/17 21:45:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/09/17 21:30:24 | 001,306,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6.dll
[2010/09/17 21:30:24 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6r.dll
[2010/09/17 21:30:19 | 000,380,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irprops.cpl
[2010/09/17 21:30:17 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\verclsid.exe
[2010/09/17 21:14:28 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2010/09/17 17:52:58 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/09/17 16:10:38 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/17 16:07:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/17 16:07:28 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/17 16:07:28 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/17 16:07:28 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/17 16:07:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/17 16:05:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jackaroo Motor Inn\My Documents\Downloads
[2010/09/17 16:03:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jackaroo Motor Inn\Local Settings\Application Data\Mozilla
[2010/09/17 16:03:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Mozilla
[2010/09/17 14:47:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/17 14:47:29 | 000,019,288 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/17 14:47:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/17 14:12:57 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winzm.ime
[2010/09/17 14:12:56 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winsp.ime
[2010/09/17 14:12:56 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winpy.ime
[2010/09/17 14:12:55 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winime.ime
[2010/09/17 14:12:54 | 000,079,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winar30.ime
[2010/09/17 14:12:54 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wingb.ime
[2010/09/17 14:12:51 | 000,041,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\weitekp9.dll
[2010/09/17 14:12:51 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\weitekp9.sys
[2010/09/17 14:12:46 | 000,048,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w32.dll
[2010/09/17 14:12:45 | 000,426,041 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\voicepad.dll
[2010/09/17 14:12:45 | 000,086,073 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\voicesub.dll
[2010/09/17 14:12:37 | 000,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\uniime.dll
[2010/09/17 14:12:37 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\unicdime.ime
[2010/09/17 14:12:35 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsprof.exe
[2010/09/17 14:12:32 | 000,455,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tintsetp.exe
[2010/09/17 14:12:32 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tintlphr.exe
[2010/09/17 14:12:32 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tmigrate.dll
[2010/09/17 14:12:31 | 000,571,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tintlgnt.ime
[2010/09/17 14:12:30 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\thawbrkr.dll
[2010/09/17 14:12:29 | 000,019,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdspx.sys
[2010/09/17 14:12:28 | 000,021,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdipx.sys
[2010/09/17 14:12:28 | 000,013,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdasync.sys
[2010/09/17 14:12:21 | 000,101,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srusbusd.dll
[2010/09/17 14:12:18 | 000,143,422 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\softkey.dll
[2010/09/17 14:12:16 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_snprfdll.dll
[2010/09/17 14:12:15 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpstup.dll
[2010/09/17 14:12:12 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpctrs.dll
[2010/09/17 14:12:11 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpapi.dll
[2010/09/17 14:12:11 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smimsgif.dll
[2010/09/17 14:12:10 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsm.dll
[2010/09/17 14:12:10 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsy.dll
[2010/09/17 14:12:09 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm9aw.dll
[2010/09/17 14:12:09 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smb6w.dll
[2010/09/17 14:12:09 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sma3w.dll
[2010/09/17 14:12:09 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm93w.dll
[2010/09/17 14:12:08 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8cw.dll
[2010/09/17 14:12:08 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm92w.dll
[2010/09/17 14:12:08 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm90w.dll
[2010/09/17 14:12:08 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8dw.dll
[2010/09/17 14:12:08 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8aw.dll
[2010/09/17 14:12:07 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm87w.dll
[2010/09/17 14:12:07 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm81w.dll
[2010/09/17 14:12:07 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm89w.dll
[2010/09/17 14:12:07 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm59w.dll
[2010/09/17 14:12:05 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\simptcp.dll
[2010/09/17 14:11:58 | 000,205,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_seo.dll
[2010/09/17 14:11:58 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_seos.dll
[2010/09/17 14:11:57 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_scripto.dll
[2010/09/17 14:11:54 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2010/09/17 14:11:54 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2010/09/17 14:11:54 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_rwnh.dll
[2010/09/17 14:11:50 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\romanime.ime
[2010/09/17 14:11:48 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_regtrace.exe
[2010/09/17 14:11:47 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\register.exe
[2010/09/17 14:11:43 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\quser.exe
[2010/09/17 14:11:42 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\quick.ime
[2010/09/17 14:11:41 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\query.exe
[2010/09/17 14:11:37 | 000,131,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxviceo.dll
[2010/09/17 14:11:37 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxmcro.dll
[2010/09/17 14:11:37 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxgl.dll
[2010/09/17 14:11:36 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmigrate.dll
[2010/09/17 14:11:35 | 000,482,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlgnt.ime
[2010/09/17 14:11:35 | 000,070,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlphr.exe
[2010/09/17 14:11:34 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlcsd.dll
[2010/09/17 14:11:33 | 000,079,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\phon.ime
[2010/09/17 14:11:32 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs804.dll
[2010/09/17 14:11:31 | 000,036,927 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs411.dll
[2010/09/17 14:11:31 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs404.dll
[2010/09/17 14:11:31 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs412.dll
[2010/09/17 14:11:20 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_ntfsdrv.dll
[2010/09/17 14:11:12 | 000,229,439 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\multibox.dll
[2010/09/17 14:11:00 | 001,875,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msir3jp.lex
[2010/09/17 14:11:00 | 000,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msir3jp.dll
[2010/09/17 14:10:46 | 000,092,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mga.sys
[2010/09/17 14:10:46 | 000,092,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mga.dll
[2010/09/17 14:10:44 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_mailmsg.dll
[2010/09/17 14:10:39 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\korwbrkr.dll
[2010/09/17 14:10:37 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdvntc.dll
[2010/09/17 14:10:37 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdusa.dll
[2010/09/17 14:10:37 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdurdu.dll
[2010/09/17 14:10:36 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth3.dll
[2010/09/17 14:10:36 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth2.dll
[2010/09/17 14:10:35 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth1.dll
[2010/09/17 14:10:35 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth0.dll
[2010/09/17 14:10:34 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdsyr2.dll
[2010/09/17 14:10:34 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdsyr1.dll
[2010/09/17 14:10:33 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnecat.dll
[2010/09/17 14:10:33 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnecnt.dll
[2010/09/17 14:10:33 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnec95.dll
[2010/09/17 14:10:32 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdintel.dll
[2010/09/17 14:10:31 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinpun.dll
[2010/09/17 14:10:31 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdintam.dll
[2010/09/17 14:10:30 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinmar.dll
[2010/09/17 14:10:30 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinkan.dll
[2010/09/17 14:10:29 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinhin.dll
[2010/09/17 14:10:29 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinguj.dll
[2010/09/17 14:10:29 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdindev.dll
[2010/09/17 14:10:28 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdheb.dll
[2010/09/17 14:10:27 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdfa.dll
[2010/09/17 14:10:27 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdgeo.dll
[2010/09/17 14:10:26 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbddiv2.dll
[2010/09/17 14:10:26 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbddiv1.dll
[2010/09/17 14:10:25 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda3.dll
[2010/09/17 14:10:25 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdarmw.dll
[2010/09/17 14:10:25 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdarme.dll
[2010/09/17 14:10:24 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda2.dll
[2010/09/17 14:10:24 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda1.dll
[2010/09/17 14:10:23 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jupiw.dll
[2010/09/17 14:10:23 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101a.dll
[2010/09/17 14:10:17 | 000,315,455 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imskf.dll
[2010/09/17 14:10:15 | 000,471,102 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imskdic.dll
[2010/09/17 14:10:15 | 000,102,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imlang.dll
[2010/09/17 14:10:14 | 000,274,489 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjputyc.dll
[2010/09/17 14:10:14 | 000,262,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjputy.exe
[2010/09/17 14:10:14 | 000,059,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imkrinst.exe
[2010/09/17 14:10:14 | 000,045,109 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpuex.exe
[2010/09/17 14:10:13 | 000,233,527 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjprw.exe
[2010/09/17 14:10:13 | 000,208,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpmig.exe
[2010/09/17 14:10:12 | 000,307,257 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdct.exe
[2010/09/17 14:10:12 | 000,155,705 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdsvr.exe
[2010/09/17 14:10:11 | 000,716,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpcus.dll
[2010/09/17 14:10:11 | 000,368,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpcic.dll
[2010/09/17 14:10:11 | 000,081,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdct.dll
[2010/09/17 14:10:11 | 000,057,398 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdadm.exe
[2010/09/17 14:10:10 | 000,811,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjp81k.dll
[2010/09/17 14:10:09 | 000,340,023 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjp81.ime
[2010/09/17 14:10:09 | 000,311,359 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imepadsv.exe
[2010/09/17 14:10:09 | 000,102,463 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imepadsm.dll
[2010/09/17 14:10:08 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrcic.dll
[2010/09/17 14:10:08 | 000,094,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekr61.ime
[2010/09/17 14:10:08 | 000,086,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrmbx.dll
[2010/09/17 14:10:08 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrmig.exe
[2010/09/17 14:10:00 | 010,129,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hwxkor.dll
[2010/09/17 14:09:47 | 010,096,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hwxcht.dll
[2010/09/17 14:09:43 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hanjadic.dll
[2010/09/17 14:09:39 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxssend.exe
[2010/09/17 14:09:38 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsroute.dll
[2010/09/17 14:09:36 | 000,132,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsclntr.dll
[2010/09/17 14:09:35 | 000,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscfgwz.dll
[2010/09/17 14:09:34 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftlx041e.dll
[2010/09/17 14:09:31 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\flattemp.exe
[2010/09/17 14:09:30 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_fcachdll.dll
[2010/09/17 14:09:27 | 000,057,856 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esuimgd.dll
[2010/09/17 14:09:27 | 000,045,056 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esunid.dll
[2010/09/17 14:09:27 | 000,031,744 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esucmd.dll
[2010/09/17 14:09:27 | 000,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\et4000.sys
[2010/09/17 14:09:14 | 000,078,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dayi.ime
[2010/09/17 14:09:10 | 000,057,399 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cplexe.exe
[2010/09/17 14:09:10 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cprofile.exe
[2010/09/17 14:09:05 | 000,480,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cintsetp.exe
[2010/09/17 14:09:05 | 000,198,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cintime.dll
[2010/09/17 14:09:05 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cintlgnt.ime
[2010/09/17 14:09:03 | 000,097,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtmbx.dll
[2010/09/17 14:09:03 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtskdic.dll
[2010/09/17 14:09:02 | 000,838,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtbrkr.dll
[2010/09/17 14:09:01 | 001,677,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chsbrkr.dll
[2010/09/17 14:09:00 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chgport.exe
[2010/09/17 14:09:00 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chgusr.exe
[2010/09/17 14:08:59 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chajei.ime
[2010/09/17 14:08:59 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chglogon.exe
[2010/09/17 14:08:59 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\change.exe
[2010/09/17 14:08:56 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2010/09/17 14:08:55 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_iscii.dll
[2010/09/17 14:08:55 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_is2022.dll
[2010/09/17 14:08:35 | 000,312,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_aqueue.dll
[2010/09/17 14:08:34 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_aqadmin.dll
[2010/09/17 14:08:30 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_adsiisex.dll
[2010/09/17 14:08:19 | 002,134,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpsnap.dll
[2010/09/17 14:08:19 | 000,175,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpadm.dll
[2010/09/17 14:02:32 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrslv.dll
[2010/09/17 14:02:32 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrcdlg.dll
[2010/09/17 14:02:32 | 000,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrdm.dll
[2010/09/17 14:02:31 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\racpldlg.dll
[2010/09/17 14:02:29 | 000,032,768 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\isrdbg32.dll
[2010/09/17 14:02:27 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetres.dll
[2010/09/17 14:02:25 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\isign32.dll
[2010/09/17 14:02:25 | 000,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwdial.dll
[2010/09/17 14:02:25 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwphbk.dll
[2010/09/17 14:02:24 | 000,274,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcfg.dll
[2010/09/17 14:02:23 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\trialoc.dll
[2010/09/17 14:02:22 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwres.dll
[2010/09/17 14:02:21 | 000,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icwtutor.exe
[2010/09/17 14:02:21 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isignup.exe
[2010/09/17 14:02:11 | 000,520,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmpvis.dll
[2010/09/17 14:02:11 | 000,294,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dlimport.exe
[2010/09/17 14:02:09 | 000,110,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmmfilt.dll
[2010/09/17 14:02:09 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qmgrprxy.dll
[2010/09/17 14:02:08 | 000,319,542 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmmres.dll
[2010/09/17 14:02:08 | 000,163,897 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmmutil.dll
[2010/09/17 14:01:59 | 000,239,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srrstr.dll
[2010/09/17 14:01:58 | 000,226,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\npdrmv2.dll
[2010/09/17 14:01:58 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\npwmsdrm.dll
[2010/09/17 14:01:57 | 000,364,544 | ---- | C] (Microsoft Corporation (written by Digital Renaissance Inc.)) -- C:\WINDOWS\System32\dllcache\npdsplay.dll
[2010/09/17 14:01:57 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ils.dll
[2010/09/17 14:01:57 | 000,004,639 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mplayer2.exe
[2010/09/17 14:01:56 | 000,034,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmdd.dll
[2010/09/17 14:01:56 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nmmkcert.dll
[2010/09/17 14:01:55 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msconf.dll
[2010/09/17 14:01:50 | 000,252,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msoeacct.dll
[2010/09/17 14:01:50 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msoert2.dll
[2010/09/17 14:01:47 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstinit.exe
[2010/09/17 13:59:43 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\accwiz.exe
[2010/09/17 13:59:43 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\access.cpl
[2010/09/17 13:59:42 | 000,347,136 | ---- | C] (Hilgraeve, Inc.) -- C:\WINDOWS\System32\hypertrm.dll
[2010/09/17 13:59:42 | 000,131,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sndrec32.exe
[2010/09/17 13:59:41 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdshost.exe
[2010/09/17 13:59:41 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qprocess.exe
[2010/09/17 13:59:40 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcuiu.dll
[2010/09/17 13:59:40 | 000,091,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxoci.dll
[2010/09/17 13:59:39 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtctm.dll
[2010/09/17 13:59:39 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtclog.dll
[2010/09/17 13:59:39 | 000,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xolehlp.dll
[2010/09/17 13:59:37 | 000,097,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comrepl.dll
[2010/09/17 13:59:37 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\colbact.dll
[2010/09/17 13:59:37 | 000,034,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxlegih.dll
[2010/09/17 13:59:37 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxdm.dll
[2010/09/17 13:59:37 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comaddin.dll
[2010/09/17 13:59:37 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dcomcnfg.exe
[2010/09/17 13:59:37 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxex.dll
[2010/09/17 13:59:36 | 000,539,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comuid.dll
[2010/09/17 13:59:36 | 000,226,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrv.dll
[2010/09/17 13:59:36 | 000,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clbcatex.dll
[2010/09/17 13:59:36 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvps.dll
[2010/09/17 13:59:36 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\stclient.dll
[2010/09/17 13:59:35 | 000,167,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsnap.dll
[2010/09/17 13:59:27 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\servdeps.dll
[2010/09/17 13:59:27 | 000,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmfutil.dll
[2010/09/17 13:59:26 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmprops.dll
[2010/09/17 13:59:19 | 000,343,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mspaint.exe
[2010/09/17 13:59:19 | 000,123,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mplay32.exe
[2010/09/17 13:59:19 | 000,123,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mplay32.exe
[2010/09/17 13:59:19 | 000,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clipbrd.exe
[2010/09/17 13:59:18 | 000,538,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spider.exe
[2010/09/17 13:59:16 | 000,093,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscfgwmi.dll
[2010/09/17 13:59:15 | 000,598,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstscax.dll
[2010/09/17 13:59:15 | 000,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstsc.exe
[2010/09/17 13:59:14 | 000,147,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdchost.dll
[2010/09/17 13:59:14 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscupgrd.exe
[2010/09/17 13:59:14 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tscupgrd.exe
[2010/09/17 13:59:14 | 000,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdsaddin.exe
[2010/09/17 13:59:13 | 000,087,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpwsx.dll
[2010/09/17 13:59:13 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
[2010/09/17 13:59:13 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cfgbkend.dll
[2010/09/17 13:59:13 | 000,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpsnd.dll
[2010/09/17 13:59:13 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icaapi.dll
[2010/09/17 13:59:12 | 000,625,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvut.dll
[2010/09/17 13:59:12 | 000,427,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcprx.dll
[2010/09/17 13:59:11 | 001,267,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsvcs.dll
[2010/09/17 13:59:01 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\licwmi.dll
[2010/09/17 13:53:33 | 000,606,684 | ---- | C] (LT) -- C:\WINDOWS\System32\drivers\ltmdmnt.sys
[2010/09/17 13:52:52 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksuser.dll
[2010/09/17 13:52:51 | 000,129,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksproxy.ax
[2010/09/17 13:49:12 | 000,146,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\winspool.drv
[2010/09/17 13:49:12 | 000,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\spxcoins.dll
[2010/09/17 13:49:12 | 000,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\dllcache\spxcoins.dll
[2010/09/17 13:49:12 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irclass.dll
[2010/09/17 13:49:12 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irclass.dll
[2010/09/17 13:49:09 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\storprop.dll

========== Files - Modified Within 30 Days ==========

[2010/10/05 11:49:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/10/05 11:48:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/05 09:36:17 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\NTUSER.DAT
[2010/10/05 09:36:17 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\ntuser.ini
[2010/10/05 09:36:07 | 004,835,406 | -H-- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Local Settings\Application Data\IconCache.db
[2010/10/05 09:11:16 | 000,012,626 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/05 09:10:57 | 000,004,096 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\WINDOWS\System32\drivers\siside.sys
[2010/10/05 08:54:43 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/10/05 08:04:48 | 001,325,656 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\TDSSKiller.exe
[2010/10/05 08:04:46 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\OTL.exe
[2010/10/05 08:04:46 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\rkill.com
[2010/10/04 12:07:43 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\NTREGOPT.lnk
[2010/10/04 12:07:42 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\ERUNT.lnk
[2010/09/29 13:25:08 | 000,000,292 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/29 11:39:31 | 000,523,238 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/29 11:39:31 | 000,442,558 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/29 11:39:31 | 000,071,900 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/29 03:00:00 | 000,000,482 | ---- | M] () -- C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Jackaroo Motor Inn at 3 00 AM.job
[2010/09/28 14:13:17 | 000,030,304 | ---- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/09/28 14:08:49 | 000,000,288 | ---- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\My Documents\backup.reg
[2010/09/28 13:27:34 | 000,000,655 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/28 13:27:34 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/09/24 14:12:57 | 000,146,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/24 13:25:45 | 000,000,020 | ---- | M] () -- C:\WINDOWS\.vir
[2010/09/24 09:52:46 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\defogger_reenable
[2010/09/17 21:48:15 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/09/17 21:46:50 | 000,004,696 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/17 21:21:47 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/09/17 21:21:46 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/17 16:04:17 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/09/17 16:03:46 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/09/17 16:03:46 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/09/17 14:49:11 | 000,711,168 | ---- | M] () -- C:\WINDOWS\is-5I10H.exe
[2010/09/17 14:49:11 | 000,010,562 | ---- | M] () -- C:\WINDOWS\is-5I10H.msg
[2010/09/17 14:49:11 | 000,000,399 | ---- | M] () -- C:\WINDOWS\is-5I10H.lst
[2010/09/17 14:47:44 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/17 14:22:54 | 000,012,626 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/09/17 14:13:59 | 000,000,302 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2010/09/17 14:06:15 | 000,025,065 | ---- | M] () -- C:\WINDOWS\System32\wmpscheme.xml
[2010/09/17 14:06:11 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/09/17 14:06:11 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/09/17 14:06:05 | 000,299,552 | ---- | M] () -- C:\WINDOWS\WMSysPrx.prx
[2010/09/17 14:05:28 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2010/09/17 14:03:26 | 000,000,488 | RH-- | M] () -- C:\WINDOWS\System32\WindowsLogon.manifest
[2010/09/17 14:03:26 | 000,000,488 | RH-- | M] () -- C:\WINDOWS\System32\logonui.exe.manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\WindowsShell.Manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2010/09/17 14:01:07 | 000,023,444 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/09/14 14:54:51 | 000,000,364 | ---- | M] () -- C:\WINDOWS\MYOBP.INI
[2010/09/14 14:25:29 | 000,000,039 | ---- | M] () -- C:\WINDOWS\MYOB.INI
[2010/09/13 15:52:34 | 000,012,186 | ---- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\wklnhst.dat
[2010/09/13 15:52:34 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\My Documents\room invoice tavern.wps

========== Files Created - No Company Name ==========

[2010/10/05 08:52:22 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\rkill.com
[2010/10/04 12:07:43 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\NTREGOPT.lnk
[2010/10/04 12:07:42 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\Desktop\ERUNT.lnk
[2010/09/28 14:08:49 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\My Documents\backup.reg
[2010/09/28 13:03:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\rnav_log.txt
[2010/09/24 09:52:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\defogger_reenable
[2010/09/17 16:10:41 | 000,245,920 | RHS- | C] () -- C:\cmldr
[2010/09/17 16:07:28 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/17 16:07:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/17 16:07:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/17 16:07:28 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/17 16:07:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/17 16:04:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/09/17 16:03:46 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/09/17 16:03:46 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/09/17 14:49:11 | 000,711,168 | ---- | C] () -- C:\WINDOWS\is-5I10H.exe
[2010/09/17 14:49:11 | 000,010,562 | ---- | C] () -- C:\WINDOWS\is-5I10H.msg
[2010/09/17 14:49:11 | 000,000,399 | ---- | C] () -- C:\WINDOWS\is-5I10H.lst
[2010/09/17 14:47:44 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/17 14:22:55 | 000,012,626 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2010/09/17 14:11:34 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\dllcache\pintlcsa.dll
[2010/09/17 14:10:39 | 001,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2010/09/17 14:10:15 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2010/09/17 14:10:12 | 000,196,665 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imjpinst.exe
[2010/09/17 14:10:08 | 000,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2010/09/17 14:09:53 | 013,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2010/09/17 14:09:43 | 000,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2010/09/17 14:09:03 | 000,173,568 | ---- | C] () -- C:\WINDOWS\System32\dllcache\chtskf.dll
[2010/09/17 14:06:15 | 000,025,065 | ---- | C] () -- C:\WINDOWS\System32\wmpscheme.xml
[2010/09/17 14:06:05 | 000,299,552 | ---- | C] () -- C:\WINDOWS\WMSysPrx.prx
[2010/09/17 14:03:26 | 000,000,488 | RH-- | C] () -- C:\WINDOWS\System32\logonui.exe.manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\WindowsShell.Manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2010/09/17 14:03:13 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2010/09/17 13:48:46 | 000,390,168 | ---- | C] () -- C:\WINDOWS\System32\dllcache\WFC.CAT
[2010/09/17 13:48:46 | 000,056,081 | ---- | C] () -- C:\WINDOWS\System32\dllcache\DAJAVAC.CAT
[2010/09/17 13:48:46 | 000,052,311 | ---- | C] () -- C:\WINDOWS\System32\dllcache\DX3.CAT
[2010/09/17 13:48:46 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2010/09/17 13:48:46 | 000,022,151 | ---- | C] () -- C:\WINDOWS\System32\dllcache\TCLASSES.CAT
[2010/09/17 13:48:46 | 000,021,281 | ---- | C] () -- C:\WINDOWS\System32\dllcache\XMLDSOC.CAT
[2010/09/17 13:48:46 | 000,014,031 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSJDBC.CAT
[2010/09/17 13:48:46 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2010/09/17 13:48:46 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2010/09/17 13:48:46 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2010/09/17 13:48:45 | 000,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2010/09/17 13:48:45 | 000,657,548 | ---- | C] () -- C:\WINDOWS\System32\dllcache\CLASSES.CAT
[2010/09/17 13:48:45 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2009/02/17 09:06:20 | 000,000,663 | ---- | C] () -- C:\WINDOWS\openrda.ini
[2008/12/21 12:45:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2008/12/07 13:46:39 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/09/28 09:24:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2007/01/05 10:34:50 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/02 16:32:09 | 000,000,164 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/12/03 17:16:37 | 000,000,055 | ---- | C] () -- C:\WINDOWS\fls1.ini
[2006/05/28 12:35:29 | 000,000,031 | ---- | C] () -- C:\WINDOWS\JetBingo.ini
[2006/05/05 17:26:00 | 000,335,872 | ---- | C] () -- C:\WINDOWS\System32\ctreestd.dll
[2005/12/13 09:47:39 | 000,012,186 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\wklnhst.dat
[2005/12/10 13:54:06 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\Jackaroo Motor Inn\Local Settings\Application Data\fusioncache.dat
[2005/09/20 13:52:33 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2005/04/01 16:00:49 | 000,000,364 | ---- | C] () -- C:\WINDOWS\MYOBP.INI
[2005/04/01 16:00:49 | 000,000,039 | ---- | C] () -- C:\WINDOWS\MYOB.INI
[2005/03/30 18:33:03 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2005/03/24 16:32:00 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/03/24 15:38:05 | 000,000,857 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/03/18 14:12:53 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/13 13:51:50 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/01/13 12:38:31 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2005/01/13 12:38:27 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/01/13 12:36:04 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\IDEproperty.dll
[2005/01/13 12:33:22 | 000,106,346 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2005/01/13 12:33:04 | 000,102,538 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2005/01/13 12:30:46 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2003/02/26 14:34:54 | 000,000,456 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2000/01/31 07:02:00 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll

========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >
[2008/10/11 05:13:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2005/01/13 13:07:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2008/12/20 16:03:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2005/12/19 17:08:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BigPond
[2008/12/20 16:13:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2009/11/23 18:40:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2008/11/17 08:41:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2005/03/24 15:55:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2009/11/21 20:35:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/24 13:27:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2010/08/15 09:16:22 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\MSEQS
[2007/01/30 17:16:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2005/01/13 13:52:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2010/09/28 13:18:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2007/02/04 13:01:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/05/04 13:45:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2010/09/17 14:48:21 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

< %APPDATA%\*. >
[2008/09/28 08:31:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Adobe
[2006/01/17 13:47:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\AdobeAUM
[2008/10/11 05:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\AdobeUM
[2009/05/20 16:37:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Ahead
[2009/11/23 18:42:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\CyberLink
[2006/10/16 15:46:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Google
[2006/10/26 18:04:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Help
[2005/01/13 12:28:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Identities
[2006/01/17 13:42:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Macromedia
[2009/11/21 20:35:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Malwarebytes
[2009/07/11 06:07:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Microsoft
[2010/09/17 16:04:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Mozilla
[2008/11/17 08:40:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\MSNInstaller
[2006/02/18 15:06:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Sun
[2005/12/13 09:47:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Template

< %APPDATA%\*.exe /s >
[2007/01/30 06:15:49 | 021,277,080 | ---- | M] ( ) -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_en_US.exe
[2008/05/13 17:37:43 | 019,900,192 | ---- | M] ( ) -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr710_en_US.exe
[2006/12/03 16:19:24 | 000,008,854 | R--- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Microsoft\Installer\{FE56446F-8458-45D6-A117-8CD091D4E1E9}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
[2006/12/03 16:19:24 | 000,008,854 | R--- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Microsoft\Installer\{FE56446F-8458-45D6-A117-8CD091D4E1E9}\NewShortcut3_F30B5B541F7D4207BF3032ED8CAF6640.exe
[2006/12/03 16:19:24 | 000,458,752 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Microsoft\Installer\{FE56446F-8458-45D6-A117-8CD091D4E1E9}\NewShortcut8_5A7E1140CDA940A69B691550BCBDD867.exe
[2006/12/03 16:19:24 | 000,458,752 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Microsoft\Installer\{FE56446F-8458-45D6-A117-8CD091D4E1E9}\NewShortcut9_5A7E1140CDA940A69B691550BCBDD867.exe
[2006/12/03 16:19:24 | 000,008,854 | R--- | M] () -- C:\Documents and Settings\Jackaroo Motor Inn\Application Data\Microsoft\Installer\{FE56446F-8458-45D6-A117-8CD091D4E1E9}\Uninstall_Dev_OTI_Ho_6A364605F0D04FC7BCE8E27710F0D99F.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: SISIDE.SYS >
[2003/03/25 17:50:46 | 000,004,096 | ---- | M] (Silicon Integrated Systems Corp.) MD5=B4485881BD8AED9B157A2E6CF43C2D51 -- C:\cmdcons\SISIDE.SYS
[2010/10/05 09:10:57 | 000,004,096 | ---- | M] (Silicon Integrated Systems Corp.) MD5=B4485881BD8AED9B157A2E6CF43C2D51 -- C:\WINDOWS\system32\drivers\siside.sys

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/09/17 23:38:20 | 000,524,288 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/09/14 17:01:21 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2010/09/17 23:38:20 | 025,690,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/09/17 23:38:20 | 008,126,464 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B7BEAFF
< End of report >


#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 AM

Posted 05 October 2010 - 07:42 AM

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages
It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.
You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.
Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)


Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of contents of C:\Combofix.txt


~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 Irelanda

Irelanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 05 October 2010 - 05:09 PM

Maurice

Log as follows

ComboFix 10-10-05.01 - Jackaroo Motor Inn 06/10/2010 7:43.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.460 [GMT 10:00]
Running from: c:\documents and settings\Jackaroo Motor Inn\Desktop\Combo-Fix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.

((((((((((((((((((((((((( Files Created from 2010-09-05 to 2010-10-05 )))))))))))))))))))))))))))))))
.

2010-10-04 22:54 . 2010-10-04 22:54 -------- d-----w- C:\_OTL
2010-10-04 02:07 . 2010-10-04 02:07 -------- d-----w- c:\program files\ERUNT
2010-09-29 03:33 . 2010-09-29 03:33 -------- d-s---w- c:\windows\Cookies
2010-09-29 03:06 . 2008-04-13 14:06 73472 -c--a-w- c:\windows\system32\dllcache\sr.vir
2010-09-29 03:06 . 2008-04-13 14:06 73472 ----a-w- c:\windows\system32\drivers\sr.sys
2010-09-29 01:30 . 2010-09-29 01:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-09-29 01:16 . 1998-09-30 02:26 49936 ----a-w- c:\windows\system32\SeCEdit.exe
2010-09-29 01:16 . 1998-09-30 02:24 242448 ----a-w- c:\windows\system32\scedll.dll
2010-09-29 01:16 . 1998-03-31 06:37 29968 ----a-w- c:\windows\system32\Rshx32_5.dll
2010-09-29 01:16 . 1998-10-09 04:17 384784 ----a-w- c:\windows\system32\wsecedit.dll
2010-09-28 12:13 . 2010-09-29 03:57 -------- d-----w- c:\program files\Sophos
2010-09-28 08:08 . 2010-09-28 08:09 -------- d-----w- c:\program files\CleanUp!
2010-09-28 04:12 . 2010-09-28 04:12 -------- d-----w- c:\program files\Enigma Software Group
2010-09-28 03:18 . 2010-09-28 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-28 02:56 . 2010-09-28 02:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-24 03:25 . 2010-09-28 04:41 -------- d-----w- c:\program files\Panda Security
2010-09-24 03:13 . 2008-04-13 19:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-09-24 03:13 . 2008-04-13 19:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-09-17 11:31 . 2010-09-17 11:44 -------- d-----w- c:\windows\system32\wbem\Repository.002
2010-09-17 11:30 . 2008-04-13 19:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-09-17 11:30 . 2008-04-13 12:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-09-17 11:30 . 2008-04-13 19:42 28672 ------w- c:\windows\system32\verclsid.exe
2010-09-17 07:52 . 2010-09-17 07:52 -------- d-----w- c:\program files\Trend Micro
2010-09-17 06:04 . 2010-09-17 06:04 0 ----a-w- c:\windows\nsreg.dat
2010-09-17 06:03 . 2010-09-17 06:03 -------- d-----w- c:\documents and settings\Jackaroo Motor Inn\Local Settings\Application Data\Mozilla
2010-09-17 05:19 . 2010-09-17 05:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-09-17 05:16 . 2010-09-17 05:16 -------- d-----w- c:\documents and settings\Administrator\Downloads
2010-09-17 05:12 . 2010-09-17 05:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-17 04:49 . 2010-09-17 04:49 711168 ----a-w- c:\windows\is-5I10H.exe
2010-09-17 04:47 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 04:47 . 2010-04-29 05:39 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 04:47 . 2010-09-17 05:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 04:12 . 2002-08-29 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-09-17 04:11 . 2001-08-17 12:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2010-09-17 04:10 . 2002-08-29 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-09-17 04:09 . 2008-04-13 19:39 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-09-17 04:08 . 2002-08-29 12:00 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-09-17 04:08 . 2002-08-29 12:00 13312 -c--a-w- c:\windows\system32\dllcache\chglogon.exe
2010-09-17 04:08 . 2002-08-29 12:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2010-09-17 04:08 . 2002-08-29 12:00 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2010-09-17 04:08 . 2002-08-29 12:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-09-17 04:08 . 2001-08-17 12:36 312832 -c--a-w- c:\windows\system32\dllcache\EXCH_aqueue.dll
2010-09-17 04:08 . 2001-08-17 12:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-09-17 04:08 . 2001-08-17 12:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-09-17 04:08 . 2001-08-17 12:36 2134528 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2010-09-17 04:08 . 2001-08-17 12:36 175104 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpadm.dll
2010-09-17 04:01 . 2008-04-13 19:42 67584 ----a-w- c:\windows\system32\srclient.dll
2010-09-17 03:59 . 2008-04-13 19:42 184320 ----a-w- c:\windows\system32\accwiz.exe
2010-09-17 03:58 . 2008-04-13 14:02 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2010-09-17 03:56 . 2008-04-13 14:15 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-09-17 03:56 . 2008-04-13 14:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-09-17 03:54 . 2008-04-13 14:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-09-17 03:54 . 2008-04-13 14:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-09-17 03:53 . 2008-04-13 13:53 606684 ----a-w- c:\windows\system32\drivers\ltmdmnt.sys
2010-09-17 03:52 . 2008-04-13 19:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2010-09-17 03:52 . 2008-04-13 19:43 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-09-17 03:49 . 2008-04-13 19:42 146432 ----a-w- c:\windows\system\winspool.drv
2010-09-17 03:49 . 2008-04-13 14:24 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2010-09-17 03:49 . 2002-08-29 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-09-17 03:49 . 2002-08-29 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-09-17 03:49 . 2002-08-29 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-09-17 03:49 . 2002-08-29 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-09-17 03:49 . 2008-04-13 19:42 74752 ----a-w- c:\windows\system32\storprop.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-04 23:10 . 2005-01-13 02:35 4096 ----a-w- c:\windows\system32\drivers\siside.sys
2010-09-28 04:13 . 2005-12-10 03:54 30304 ----a-w- c:\documents and settings\Jackaroo Motor Inn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-24 03:25 . 2009-07-10 13:57 20 ----a-w- c:\windows\.vir
2010-09-17 11:19 . 2008-05-21 06:36 -------- d-----w- c:\program files\QuickTime
2010-09-17 04:05 . 2010-09-17 04:05 558142 ----a-w- c:\windows\java\Packages\I6B79J1N.ZIP
2010-09-17 04:05 . 2010-09-17 04:05 2678 ----a-w- c:\windows\java\Packages\Data\FFH3JPJF.DAT
2010-09-17 04:05 . 2010-09-17 04:05 2678 ----a-w- c:\windows\java\Packages\Data\W68KXZ37.DAT
2010-09-17 04:05 . 2010-09-17 04:05 155995 ----a-w- c:\windows\java\Packages\TZ3D3XVH.ZIP
2010-09-17 04:05 . 2010-09-17 04:05 2678 ----a-w- c:\windows\java\Packages\Data\7FNDBTNZ.DAT
2010-09-17 04:05 . 2010-09-17 04:05 2678 ----a-w- c:\windows\java\Packages\Data\I7PJXBXZ.DAT
2010-09-17 04:05 . 2010-09-17 04:05 2678 ----a-w- c:\windows\java\Packages\Data\GWXJ7TFN.DAT
2010-09-17 04:01 . 2005-01-13 02:19 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-13 05:52 . 2005-12-12 23:47 12186 ----a-w- c:\documents and settings\Jackaroo Motor Inn\Application Data\wklnhst.dat
2010-08-24 06:40 . 2005-12-19 07:09 -------- d-----w- c:\program files\Telstra
2010-08-14 23:16 . 2010-08-14 23:16 -------- d-sh--w- c:\documents and settings\All Users\Application Data\MSEQS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-08-13 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2010-06-11 226640]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigPondWirelessBroadbandCM]
2008-09-11 02:16 2248704 ----a-w- c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 04:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 02:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 11:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 05:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 04:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-07-27 09:01 68096 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [3/12/2007 4:23 PM 189704]
S3 kwkxusb;Kyocera Wireless USB CDMA Modem Driver;c:\windows\system32\drivers\kwusb2k.sys [3/24/2005 4:04 PM 41344]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [8/24/2010 4:42 PM 7680]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1C.tmp --> c:\windows\system32\1C.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2010-10-05 c:\windows\Tasks\CAAntiSpywareScan_Daily as Jackaroo Motor Inn at 3 00 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-03-12 06:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\windows\system32\VetRedir.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jackaroo Motor Inn\Application Data\Mozilla\Firefox\Profiles\x8t5wh7w.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1C.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1248)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(236)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-06 08:00:19
ComboFix-quarantined-files.txt 2010-10-05 22:00
ComboFix2.txt 2010-09-29 03:31

Pre-Run: 107,019,522,048 bytes free
Post-Run: 107,009,830,912 bytes free

- - End Of File - - 131C1076E9D27808A195D8CA663BFE82

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 AM

Posted 05 October 2010 - 05:20 PM

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement
2) The necessary files will be downloaded and installed. Please have plenty of patience.
3) After Kaspersky AntiVirus Database is updated, look at the Scan box.
4) Click the My Computer line
5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.
How is your system now
Are any more browser redirects happening?


~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 Irelanda

Irelanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 06 October 2010 - 05:01 PM

Maurice


The Kaspersky report was completely empty smile.gif

I've run all the outstanding Windows Updates with No Problems and have seen no unusual activity, looks OK now.


Thank you very muchly


Guy


#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:59 AM

Posted 07 October 2010 - 05:51 AM

Very well. thumbup.gif


Cleanups after the tools we used
Go to Control Panel and Add-or-Remove programs.
De-install Kaspersky Online scan
Select Change/Remove to de-install it.
OK & Exit out of Control Panel

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders.
The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after exe and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, Copy the whole line verbatim and then paste into Run-Open box
    Combo-fix /uninstall
    and then click OK.
  • Please double-click OTL.exe to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
Delete Avenger.zip & Avenger.exe if still present

Delete RKILL.com if still present.

Delete TDSSKILLER.exe & TDSSKILLER.zip if present.

TFC (Temp file cleaner) you may keep and use on a periodic basis.

pc secuity adviceConfirm for me that you've removed the tools (as above) and that you have followed up with Secunia online check ! Best regards.

Edited by Maurice Naggar, 07 October 2010 - 05:52 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users