Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with something affecting internet


  • This topic is locked This topic is locked
13 replies to this topic

#1 KLong1273

KLong1273

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 30 October 2010 - 06:33 PM

Infected the last couple of weeks with something that affects my internet. Have TrendMicro, Malwarebytes' anti-malware, and spybot installed. None will open. Have tried several online scanners recommended by this site but whenever it needs to download I get a message that I'm not connected to the internet, even though I have an always on cable connection and the other computer in the house has no problems. I can use the internet, but am constantly redirected to random sites, and can only use internet explorer. Google Chrome is installed but like the antivirus and antimalware it will not open.


DDS (Ver_10-10-21.02) - NTFSx86
Run by HP_Administrator at 5:41:39.70 on Sat 10/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.454 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.alaweb.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [SME] "c:\documents and settings\all users\application data\a735af\SMa73_302.exe" /s
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\imvu.lnk - c:\documents and settings\hp_administrator\application data\imvuclient\IMVUQualityAgent.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Belkin F6D4050 Enhanced Wireless USB Adapter Utility.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Kodak EasyShare software.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Updates from HP.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\hp_administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: trymedia.com
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: NameServer = 93.188.164.124,93.188.160.204
TCP: {C5F0F24D-D59F-43DD-9B8E-0F3CA0DFA621} = 93.188.164.124,93.188.160.204
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-8-24 36368]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2010-10-25 12:37:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\a735af
2010-10-21 14:42:29 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Sahmon Games
2010-10-21 02:43:56 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Fugazo
2010-10-19 23:42:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Becky Brogan 2
2010-10-19 23:15:55 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Mean Hamster Software
2010-10-19 14:31:47 -------- d-----w- c:\documents and settings\hp_administrator\Saved Games
2010-10-19 08:22:18 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\NatGeoGames
2010-10-19 08:22:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\NatGeoGames
2010-10-18 11:39:48 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\IsolatedStorage
2010-10-18 11:39:36 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\HP
2010-10-17 20:55:36 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\TheLostKingdomProphecy
2010-10-17 14:23:35 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-17 14:23:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 14:22:37 -------- d-----w- c:\program files\Microsoft Money 2005
2010-10-17 14:22:25 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Conduit
2010-10-17 14:21:37 -------- d-----w- c:\program files\Conduit
2010-10-17 14:21:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\41738225
2010-10-17 14:21:35 -------- d-----w- c:\program files\Screensavers.com
2010-10-17 14:13:42 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2010-10-16 23:46:37 -------- d-----w- c:\program files\ESET
2010-10-16 23:34:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-14 14:21:53 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Jumb-O-Fun Games
2010-10-14 12:35:28 -------- d-----w- c:\program files\NCH Swift Sound
2010-10-13 19:04:33 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\Identities
2010-10-07 14:38:38 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\World-Loom
2010-10-02 00:58:13 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Vivox

==================== Find3M ====================

2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-21 01:18:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-21 01:18:53 423656 ----a-w- c:\windows\system32\deployJava1.dll
2008-05-06 02:54:09 15452536 -c--a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-04-16 23:40:27 432576 -c--a-w- c:\program files\MySpaceIM_Setup.exe
2008-04-15 18:45:01 5840080 -c--a-w- c:\program files\mp3suite-setup-pro.exe
2006-06-20 03:48:38 1874873 -c--a-w- c:\program files\quicklookup.exe
2006-06-05 23:57:47 397352 -c--a-w- c:\program files\msgr75us.exe

============= FINISH: 5:44:55.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 07 November 2010 - 06:51 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 KLong1273

KLong1273
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 08 November 2010 - 05:53 PM

Thank you so much for your response. I have managed to make a what I thought was a little progress but am still infected. When I had originally posted, I couldn't run MalwareBytes Anti-malware, Spybot S&D, or TrendMicro(massive waste of money that turned out to be). Since my post, I have been able to run MalwareBytes - picked up very little, some spyware and questionable cookies - and have downloaded and run TrendMicro Titanium free trial (I'll not pay for that again) - also picked up very little, some spyware, but it seems to be helping with the browser redirection so far.
To sum up the problems so far.....browser redirects constantly (seems to be connected to cookies somehow because always redirected to a site I have been to previously, set up to accept no cookies now without asking, now only redirected to party poker and various search engines), no program that must connect to the internet works (I get the message that I'm not connected which obviously isn't the case cause here I am....), nothing I already had on my computer to scan picks anything up out of the ordinary. So, while I was waiting for a reply I have done some of the obvious things, I had a p2p app on here for music, that's gone since I noticed that was one of things that ya'll recommend to people you are helping, and I have attempted to use any scan or protection I have seen recommended by you guys (of course no luck with that since I have no internet connection to download anything :hysterical: ).

OTL logfile created on: 11/7/2010 8:20:26 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 438.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 66.02 Gb Total Space | 4.77 Gb Free Space | 7.23% Space Free | Partition Type: NTFS
Drive D: | 8.50 Gb Total Space | 1.13 Gb Free Space | 13.26% Space Free | Partition Type: FAT32

Computer Name: YOUR-4DACD0EA75 | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/07 20:19:27 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
PRC - [2010/11/07 13:15:32 | 001,006,672 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
PRC - [2010/11/07 13:15:32 | 000,112,632 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
PRC - [2010/11/07 13:15:20 | 000,138,640 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
PRC - [2010/08/25 22:49:30 | 000,196,320 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
PRC - [2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/12/02 23:21:55 | 000,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2005/09/27 01:43:29 | 001,060,864 | ---- | M] (Digital Interactive Systems Corporation) -- C:\Program Files\DISC\DISCover.exe
PRC - [2005/09/27 01:42:32 | 000,237,568 | ---- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DiscGui.exe
PRC - [2005/09/27 01:42:26 | 000,061,440 | ---- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DISCUpdateMgr.exe
PRC - [2005/09/27 01:42:26 | 000,045,056 | ---- | M] (Digital Interactive Systems Corporation, Inc.) -- C:\Program Files\DISC\DiscStreamHub.exe
PRC - [2005/08/03 01:19:16 | 000,058,880 | ---- | M] (Microsoft) -- C:\WINDOWS\arservice.exe
PRC - [2004/08/10 13:00:00 | 000,077,891 | ---- | M] (U.S. Robotics Corporation) -- C:\WINDOWS\system32\usrmlnka.exe
PRC - [2004/08/10 13:00:00 | 000,069,700 | ---- | M] ( U.S. Robotics Corporation) -- C:\WINDOWS\system32\usrshuta.exe


========== Modules (SafeList) ==========

MOD - [2010/11/07 20:19:27 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
MOD - [2006/08/25 09:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/10 06:00:00 | 001,392,671 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvbvm60.dll
MOD - [2004/08/10 06:00:00 | 000,159,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dinput.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/08/25 22:49:30 | 000,196,320 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe -- (Amsp)
SRV - [2005/08/03 01:19:16 | 000,058,880 | ---- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)
SRV - [2004/09/29 21:14:36 | 000,069,632 | ---- | M] (HP) [Boot | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\intelppm.sys -- (intelppm)
DRV - [2010/11/07 13:15:24 | 000,189,520 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2010/11/07 13:15:24 | 000,092,112 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2010/11/07 13:15:24 | 000,080,464 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2010/11/07 13:15:24 | 000,064,080 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2005/09/23 14:26:40 | 001,094,751 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/08/29 16:11:00 | 003,644,928 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/08/13 23:35:54 | 001,313,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/07/04 01:30:34 | 000,026,624 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/06/30 02:03:18 | 000,175,104 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - [2005/06/17 15:33:40 | 000,872,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2005/03/09 15:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/03/04 12:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/08/03 23:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/11/05 16:45:12 | 000,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)
DRV - [2003/01/10 15:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 14:28:26 | 000,113,762 | ---- | M] (U.S. Robotics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.alaweb.com/
IE - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{22181a4d-af90-4ca3-a569-faed9118d6bc}: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2010/11/07 13:25:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\firefoxextension\ [2010/11/07 13:26:04 | 000,000,000 | ---D | M]

[2010/10/01 18:48:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2010/10/01 18:48:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions\IMVUClientXUL@imvu.com
[2008/05/30 10:39:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/05/02 07:03:19 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

O1 HOSTS File: ([2004/08/10 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll (Trend Micro Inc.)
O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll (Trend Micro Inc.)
O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O3 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\Toolbar\WebBrowser: (no name) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No CLSID value found.
O3 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [AlwaysReady Power Message APP] C:\WINDOWS\arpwrmsg.exe (Microsoft)
O4 - HKLM..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe (Digital Interactive Systems Corporation)
O4 - HKLM..\Run: [DiscUpdateManager] C:\Program Files\DISC\DISCUpdateMgr.exe (Digital Interactive Systems Corporation, Inc.)
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe (Hewlett-Packard)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [USRpdA] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin F6D4050 Enhanced Wireless USB Adapter Utility.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\IMVU.lnk = C:\Documents and Settings\HP_Administrator\Application Data\IMVUClient\IMVUQualityAgent.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk ()
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O15 - HKLM\..Trusted Domains: trymedia.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..Trusted Domains: geekbuddy.com ([www] https in Trusted sites)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1381\6.5.1234\TmIEPlg.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmtbim {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/12/02 23:42:03 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 05:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 06:01:14 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.LEAD - C:\WINDOWS\System32\LCodcCMP.dll (LEAD Technologies, Inc.)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (86707903578243072)

========== Files/Folders - Created Within 30 Days ==========

[2010/11/07 20:19:17 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2010/11/07 13:26:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Trend Micro
[2010/11/07 13:26:25 | 000,092,112 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2010/11/07 13:26:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/11/07 13:26:12 | 000,080,464 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2010/11/07 13:26:12 | 000,064,080 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2010/11/07 13:25:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Trend Micro
[2010/11/07 10:53:04 | 000,000,000 | ---D | C] -- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
[2010/11/07 10:45:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows OneCare Live
[2010/11/04 17:38:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Ashtons Family Resort
[2010/11/03 10:08:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Meridian93
[2010/10/31 12:06:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\mswd
[2010/10/30 04:46:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Desktop\gmer
[2010/10/26 10:27:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Google
[2010/10/25 06:37:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\a735af
[2010/10/21 08:42:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Sahmon Games
[2010/10/20 20:43:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Fugazo
[2010/10/19 17:42:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Becky Brogan 2
[2010/10/19 17:15:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Mean Hamster Software
[2010/10/19 08:31:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Saved Games
[2010/10/19 02:22:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\NatGeoGames
[2010/10/19 02:22:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NatGeoGames
[2010/10/18 05:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\HP
[2010/10/18 05:39:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\My Documents\My Albums
[2010/10/18 05:39:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\IsolatedStorage
[2010/10/18 05:39:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\HP
[2010/10/17 14:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\TheLostKingdomProphecy
[2010/10/17 08:22:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Money 2005
[2010/10/17 08:22:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Conduit
[2010/10/17 08:13:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
[2010/10/16 17:46:37 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/10/16 17:34:38 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/10/14 20:33:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\My Documents\LDW
[2010/10/14 08:21:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Jumb-O-Fun Games
[2010/10/14 06:35:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2010/10/14 06:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Swift Sound
[2010/10/14 06:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\NCH Swift Sound
[2010/10/13 13:04:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities
[2008/05/05 20:54:09 | 015,452,536 | ---- | C] (Microsoft Corporation) -- C:\Program Files\IE7-WindowsXP-x86-enu.exe
[2006/06/19 21:48:24 | 001,874,873 | ---- | C] (Indigo Rose Corporation http://www.indigorose.com) -- C:\Program Files\quicklookup.exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/07 20:20:57 | 000,000,562 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\Shortcut to gmer.exe.lnk
[2010/11/07 20:19:27 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2010/11/07 13:54:04 | 000,000,246 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2010/11/07 13:27:49 | 000,000,943 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\Trend Micro Titanium Maximum Security.lnk
[2010/11/07 13:26:08 | 000,393,434 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/07 13:26:08 | 000,057,392 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/07 13:20:15 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3958178375-4217585030-2624718606-1009.job
[2010/11/07 13:20:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/07 13:19:59 | 1005,113,344 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/07 13:15:24 | 000,189,520 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/11/07 13:15:24 | 000,092,112 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmtdi.sys
[2010/11/07 13:15:24 | 000,080,464 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmactmon.sys
[2010/11/07 13:15:24 | 000,064,080 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmevtmgr.sys
[2010/11/05 03:15:00 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\Disk Cleanup.job
[2010/11/05 01:00:00 | 000,000,352 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2010/11/04 08:55:00 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3958178375-4217585030-2624718606-1009.job
[2010/10/30 04:44:42 | 000,286,404 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\gmer.zip
[2010/10/30 04:41:16 | 000,545,280 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
[2010/10/30 04:39:48 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\defogger_reenable
[2010/10/29 15:10:09 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/28 09:17:15 | 000,189,000 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/27 09:09:50 | 000,016,559 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\En-us-Nicaragua.ogg
[2010/10/25 17:38:15 | 000,000,962 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\IMVU.lnk
[2010/10/25 17:33:01 | 000,004,586 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\Caitlin's Playlist2!!!.m3u
[2010/10/21 06:36:00 | 000,000,304 | ---- | M] () -- C:\WINDOWS\tasks\expressSevenDays.job
[2010/10/19 01:46:03 | 000,000,137 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\More Games at GameHouse.com.url
[2010/10/17 08:25:14 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/17 07:01:01 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\scribeShakeIcon.job
[2010/10/17 06:36:00 | 000,000,304 | ---- | M] () -- C:\WINDOWS\tasks\expressShakeIcon.job
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/07 20:20:57 | 000,000,562 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\Shortcut to gmer.exe.lnk
[2010/11/07 13:27:36 | 000,000,943 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\Trend Micro Titanium Maximum Security.lnk
[2010/11/07 13:03:33 | 1005,113,344 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/30 04:44:39 | 000,286,404 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\gmer.zip
[2010/10/30 04:41:16 | 000,545,280 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
[2010/10/30 04:39:48 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\defogger_reenable
[2010/10/27 09:09:50 | 000,016,559 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\En-us-Nicaragua.ogg
[2010/10/19 01:46:03 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\More Games at GameHouse.com.url
[2010/10/15 14:11:15 | 000,004,586 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\Caitlin's Playlist2!!!.m3u
[2010/10/14 07:01:49 | 000,000,252 | ---- | C] () -- C:\WINDOWS\tasks\scribeShakeIcon.job
[2010/10/14 06:36:16 | 000,000,304 | ---- | C] () -- C:\WINDOWS\tasks\expressSevenDays.job
[2010/10/14 06:36:15 | 000,000,304 | ---- | C] () -- C:\WINDOWS\tasks\expressShakeIcon.job
[2010/09/15 07:03:35 | 000,000,044 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\{3D55D1F4-1059-11DC-B281-197056D89593}
[2010/08/21 17:27:19 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\housecall.guid.cache
[2010/08/20 20:21:16 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
[2010/07/09 16:01:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ransom.INI
[2010/03/25 09:08:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2010/02/13 18:30:12 | 000,001,112 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/11/29 08:33:50 | 000,007,468 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\N360BUOptions.ini
[2009/11/29 08:27:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/10/22 16:05:06 | 000,000,244 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2008/06/29 19:45:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/06/12 14:17:27 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/04/17 07:27:52 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2008/04/17 07:25:54 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2008/04/17 06:18:21 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2006/08/12 22:13:35 | 000,000,082 | ---- | C] () -- C:\WINDOWS\usrwiz.ini
[2006/08/09 19:55:41 | 000,000,092 | ---- | C] () -- C:\WINDOWS\QTW.ini
[2006/08/09 19:09:31 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/07/29 14:28:46 | 000,000,069 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2006/06/23 19:27:28 | 000,000,008 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/06/07 20:24:56 | 000,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/06/07 20:24:56 | 000,000,023 | ---- | C] () -- C:\WINDOWS\mid.ini
[2006/06/07 20:24:56 | 000,000,018 | ---- | C] () -- C:\WINDOWS\upst.ini
[2006/06/05 17:57:33 | 000,397,352 | ---- | C] () -- C:\Program Files\msgr75us.exe
[2006/05/02 16:38:24 | 000,000,748 | ---- | C] () -- C:\WINDOWS\SetBrowser.ini
[2005/12/03 00:15:36 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/12/02 23:51:14 | 000,022,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2005/12/02 23:45:47 | 000,014,317 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2005/12/02 23:45:35 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2005/12/02 23:42:48 | 000,000,031 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2005/12/02 23:38:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/02 23:31:26 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/12/02 23:31:26 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/12/02 23:31:26 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/12/02 23:31:26 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/12/02 23:31:26 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/12/02 23:31:26 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/12/02 23:24:09 | 000,000,108 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/12/02 23:22:43 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2005/12/02 23:09:22 | 000,001,434 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/12/02 23:08:11 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/12/02 22:50:14 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/12/02 22:41:16 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2005/12/02 22:41:16 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2005/12/02 22:40:57 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2005/10/05 14:50:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/31 06:01:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/05 23:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/08/03 01:19:16 | 000,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
[2004/07/26 16:51:38 | 000,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2001/07/07 00:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2005/12/02 23:20:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Digital Interactive Systems Corporation
[2010/10/25 06:37:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\a735af
[2010/02/11 11:28:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Absolutist
[2008/04/11 16:38:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2010/09/28 12:44:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
[2010/01/05 01:34:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Artist Colony
[2010/03/02 07:29:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ashtons Family Resort
[2010/10/19 17:42:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Becky Brogan 2
[2008/04/11 15:06:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Berlitz
[2010/02/27 18:28:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2010/02/22 10:52:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\blg
[2010/07/08 18:20:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BlitPop
[2006/08/12 22:37:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/12/28 17:45:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Christmasville
[2010/06/26 13:20:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Deadtime Stories
[2006/06/05 18:02:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Digital Interactive Systems Corporation
[2010/03/23 08:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2009/12/14 11:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum2
[2008/05/28 08:01:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/01/03 18:55:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Farm Frenzy
[2010/05/13 07:38:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FarmFrenzy3_America
[2010/05/04 06:36:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fenomen Games
[2010/02/11 16:50:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fillup
[2010/04/19 15:54:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flood Light Games
[2010/06/13 16:11:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreshGames
[2010/10/19 01:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fugazo
[2010/08/17 15:16:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Funny Bear Studio
[2010/09/08 10:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse
[2010/07/09 17:21:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gamers Digital
[2010/02/25 20:24:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\game_fillup_v2_usa
[2010/04/14 09:53:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GOA
[2010/09/22 13:28:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gogii
[2010/04/26 17:09:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Happyville__
[2010/06/13 11:57:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HipSoft
[2010/07/19 13:49:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitPoint Studios
[2010/08/03 09:34:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HTC
[2010/04/04 07:51:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Incredible Express
[2010/07/03 19:39:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intenium
[2010/03/10 15:26:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Islands
[2010/07/09 17:03:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin
[2006/07/14 19:50:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2010/03/28 08:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kingdom
[2009/12/14 11:21:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kristanix Games
[2008/06/10 21:32:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2010/02/27 17:39:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ludia
[2010/02/27 08:45:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Mean Hamster Software
[2010/09/23 08:12:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Merscom
[2010/10/31 12:06:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mswd
[2010/10/07 09:16:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2006/06/02 20:45:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2008/04/18 07:35:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2010/10/19 02:22:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NatGeoGames
[2010/10/14 06:36:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/12/12 00:54:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NevoSoft Games
[2006/06/23 20:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nova Development
[2010/06/05 13:57:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Media
[2008/04/12 19:36:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Otto
[2010/10/07 09:29:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2010/03/11 20:52:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayPond
[2010/05/09 09:14:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Playrix Entertainment
[2010/01/10 13:26:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Princess Isabella
[2010/03/20 14:03:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\rionix
[2010/06/27 19:11:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2008/04/10 16:38:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SimCity Societies
[2008/05/17 23:21:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpinTop Games
[2010/05/23 08:32:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sprouts Adventure
[2010/06/29 09:58:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SulusGames
[2010/08/03 09:34:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Teleca
[2010/08/17 16:16:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/28 18:01:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\The Mirror Mysteries
[2010/03/11 17:23:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TikGames
[2010/03/26 17:11:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2010/02/11 15:25:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ValuSoft
[2006/06/02 18:58:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/02/11 11:21:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VirtualFarm
[2006/07/14 19:50:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2009/12/27 08:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wrinkle-free Games
[2010/08/01 08:28:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zylom
[2009/08/13 21:39:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2010/03/02 12:50:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/06/07 14:54:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\1morebee
[2010/07/16 15:18:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Ashtons Family Resort
[2010/06/29 11:01:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Big Fish Games
[2010/07/07 09:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\BlamGames
[2010/08/13 21:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Brunhilda_real
[2005/12/02 23:20:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Digital Interactive Systems Corporation
[2010/07/07 10:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\EleFun Games
[2010/06/02 18:35:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Epson
[2010/07/12 15:44:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\ERS G-Studio
[2010/08/13 22:09:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Fabulous Finds
[2010/06/10 15:43:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\FarmerJane
[2010/06/12 19:04:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\FirstColony
[2010/07/30 14:07:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\FreezeTag
[2010/06/13 16:11:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\freshgames
[2010/06/26 00:17:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Friday's games
[2010/08/15 09:18:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Fuel Industries
[2010/07/29 10:52:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\GameHouse Janes Realty2
[2010/07/03 19:09:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\GameHousev1000
[2010/07/09 17:21:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Gamers Digital
[2010/06/13 10:36:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\GamesCafe
[2010/07/01 12:48:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\GOA
[2010/07/12 12:56:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\HdO Adventure
[2010/07/19 13:49:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\HitPoint Studios
[2010/08/04 11:49:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Hotdog Hotshot
[2010/08/07 16:18:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\IBAGroup
[2010/07/09 17:03:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\iWin
[2010/08/14 19:56:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Jumb-O-Fun Games
[2010/07/14 07:54:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Ludia
[2010/07/14 09:53:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\MegaplexMadnessSummerBlockbuster
[2010/07/06 10:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Meridian93
[2010/07/27 19:24:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\My Games
[2010/06/13 09:35:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\NevoSoft Games
[2010/06/29 09:57:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Paige Harper and the Tome of Mystery
[2010/06/05 20:58:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Peace Craft
[2010/07/19 18:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\PlayFirst
[2010/06/23 15:50:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Playrix Entertainment
[2010/07/29 17:48:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Settlement. Colossus
[2010/07/06 10:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Shape games
[2010/08/17 09:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Silverback Productions
[2010/06/02 18:37:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Skinux
[2010/07/21 08:23:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Skunk Studios
[2010/08/03 09:42:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Teleca
[2010/06/07 17:37:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Template
[2010/07/26 07:27:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Total Eclipse
[2010/08/08 09:00:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\upromise
[2010/06/30 19:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Virtual City
[2010/07/19 19:57:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Vogat Interactive
[2010/08/15 09:53:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\Western Software Technologies
[2010/07/13 22:07:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\World-Loom
[2010/07/15 09:31:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Caitlin\Application Data\YoudaGames
[2005/12/02 23:20:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Digital Interactive Systems Corporation
[2010/11/05 03:15:00 | 000,000,282 | ---- | M] () -- C:\WINDOWS\Tasks\Disk Cleanup.job
[2010/10/21 06:36:00 | 000,000,304 | ---- | M] () -- C:\WINDOWS\Tasks\expressSevenDays.job
[2010/10/17 06:36:00 | 000,000,304 | ---- | M] () -- C:\WINDOWS\Tasks\expressShakeIcon.job
[2010/10/17 07:01:01 | 000,000,252 | ---- | M] () -- C:\WINDOWS\Tasks\scribeShakeIcon.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2005/07/26 05:39:44 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/08/30 22:51:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/08/30 22:51:10 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/08/30 22:51:10 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.* >
[2009/12/10 12:47:09 | 000,000,000 | ---- | M] () -- C:\AILog.txt
[2005/12/02 23:42:03 | 000,000,100 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/08/20 20:18:01 | 000,000,211 | RHS- | M] () -- C:\BOOT.BAK
[2010/08/20 17:28:58 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2009/12/19 09:02:06 | 000,033,865 | ---- | M] () -- C:\cclog.txt
[2006/07/12 16:25:52 | 000,000,184 | ---- | M] () -- C:\CDFE.log
[2004/08/10 06:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2005/08/31 06:02:02 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005/12/02 23:44:55 | 000,000,000 | ---- | M] () -- C:\FailKeys.log
[2010/11/07 13:19:59 | 1005,113,344 | -HS- | M] () -- C:\hiberfil.sys
[2005/08/31 06:02:02 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/11/17 18:44:01 | 000,006,365 | ---- | M] () -- C:\lxce.log
[2009/11/28 20:17:32 | 003,610,035 | ---- | M] () -- C:\lxceUNST.csv
[2005/08/31 06:02:02 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/10 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/10 06:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/11/07 13:19:54 | 1509,949,440 | -HS- | M] () -- C:\pagefile.sys
[2005/12/02 23:44:55 | 000,000,121 | ---- | M] () -- C:\PassKeys.log
[2010/11/07 10:17:35 | 000,000,464 | ---- | M] () -- C:\rkill.log
[2010/02/28 11:53:26 | 001,265,421 | ---- | M] () -- C:\saida.txt
[2008/12/25 23:33:26 | 000,029,696 | -HS- | M] () -- C:\Thumbs.db
[2006/07/16 00:33:25 | 000,000,152 | ---- | M] () -- C:\YServer.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2007/04/09 12:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6444B424
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89C2A42C
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:21622A66
@Alternate Data Stream - 239 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6E11933F
@Alternate Data Stream - 237 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:91FFEC32
@Alternate Data Stream - 236 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:178093AE
@Alternate Data Stream - 234 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:70E897B5
@Alternate Data Stream - 231 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:596E2371
@Alternate Data Stream - 230 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B09C4D9
@Alternate Data Stream - 225 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F67AAFC5
@Alternate Data Stream - 224 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A3B8F70C
@Alternate Data Stream - 223 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DE9AC04F
@Alternate Data Stream - 223 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5FA4CB99
@Alternate Data Stream - 220 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0E22C5DB
@Alternate Data Stream - 218 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98982C88
@Alternate Data Stream - 217 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D055FC10
@Alternate Data Stream - 216 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1F96ED45
@Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F9E46E4C
@Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FA72FF8
@Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8BCF4DE2
@Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:700B9342
@Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E41267F2
@Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5E2BAEE
@Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7AF9CAEB
@Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0E684AC9
@Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2397415
@Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1713795
@Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C22674B6
@Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:47A24D4B
@Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:02B823FE
@Alternate Data Stream - 212 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B6DD2C7E
@Alternate Data Stream - 211 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F5E4BCD5
@Alternate Data Stream - 211 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:041C0562
@Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E5DE9C8F
@Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6F55EB66
@Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:496D1709
@Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:417B6FAC
@Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:11EFE63D
@Alternate Data Stream - 209 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:164FA86E
@Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BFAD7A5D
@Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:097FF903
@Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FDCAE7B5
@Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D4C72290
@Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AA60673F
@Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F96D8E6
@Alternate Data Stream - 204 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ADDDF689
@Alternate Data Stream - 204 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0860D6D6
@Alternate Data Stream - 203 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D7DA89B1
@Alternate Data Stream - 202 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A4BF246C
@Alternate Data Stream - 202 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7CEDF9F3
@Alternate Data Stream - 202 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:375FC7E7
@Alternate Data Stream - 201 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E91ADC66
@Alternate Data Stream - 201 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D92485C9
@Alternate Data Stream - 200 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E06C78F
@Alternate Data Stream - 200 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3766E957
@Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6BF0805F
@Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3D36932D
@Alternate Data Stream - 198 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EC0A74A1
@Alternate Data Stream - 198 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB16385F
@Alternate Data Stream - 198 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9726EA15
@Alternate Data Stream - 197 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EB5BDBB0
@Alternate Data Stream - 197 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:385E2CFD
@Alternate Data Stream - 196 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C9FD258B
@Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E3F37A7D
@Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D29191BC
@Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A688EF17
@Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:592D7272
@Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8247A199
@Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:569CEE83
@Alternate Data Stream - 192 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A866F8A3
@Alternate Data Stream - 192 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5E9B629B
@Alternate Data Stream - 189 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6881EE7
@Alternate Data Stream - 188 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BABA07C2
@Alternate Data Stream - 188 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:28CDD861
@Alternate Data Stream - 187 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E84CA8F2
@Alternate Data Stream - 187 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D0D17155
@Alternate Data Stream - 187 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:02A78DF6
@Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF61CE5A
@Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F1019FF
@Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A8BB29B
@Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A4BF204
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:86725A4F
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:71612023
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EB86F355
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:56F368C9
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DD04902E
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C48A983C
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57176330
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4A448DB2
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0EC7A545
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C72A744C
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E883A78D
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F84B8DB5
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:393F7B1E
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CFFC9DD0
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0FA1EAA7
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C820549A
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7FCB9D0D
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:40EE25BB
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9547F1DB
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7A032A04
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:413E2927
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8F9D810
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A02025CE
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:206470A5
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F6AC518
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FB647F34
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AE2EA3C2
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ADFAD95A
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E5816AB5
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D9987109
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AEEC88F6
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8B2A99C5
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4709F39D
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98F6F85C
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:48977386
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DB77E2C4
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3F2212BB
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38E2864F
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E2B84483
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6CDBCAC
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C611D6C8
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:370E4EFB
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F986CC21
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EA701346
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ACCFA538
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D52F295
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69E3AF64
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:22313216
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:29861223
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:25BB767E
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E9A3410
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:12D9D48F
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6813E7F4
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3790BACD
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BA46F44F
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BB3CECA4
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9C012695
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C74009E5
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:37994DBE

< End of report >


OTL Extras logfile created on: 11/7/2010 8:20:26 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 438.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 66.02 Gb Total Space | 4.77 Gb Free Space | 7.23% Space Free | Partition Type: NTFS
Drive D: | 8.50 Gb Total Space | 1.13 Gb Free Space | 13.26% Space Free | Partition Type: FAT32

Computer Name: YOUR-4DACD0EA75 | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe" = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP -- (Hewlett-Packard)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\DISC\DISCover.exe" = C:\Program Files\DISC\DISCover.exe:*:Enabled:DISCover Drop & Play System -- (Digital Interactive Systems Corporation)
"C:\Program Files\DISC\DiscStreamHub.exe" = C:\Program Files\DISC\DiscStreamHub.exe:*:Enabled:DISCover Stream Hub -- (Digital Interactive Systems Corporation, Inc.)
"C:\Program Files\DISC\myFTP.exe" = C:\Program Files\DISC\myFTP.exe:*:Enabled:DISCover FTP -- (Digital Interactive Systems Corporation, Inc.)
"C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe" = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe:*:Enabled:Updates from HP -- (Hewlett-Packard)
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- File not found
"C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows -- File not found
"C:\Documents and Settings\HP_Administrator\Application Data\IMVUClient\1VivoxVoice.exe" = C:\Documents and Settings\HP_Administrator\Application Data\IMVUClient\1VivoxVoice.exe:*:Disabled:1VivoxVoice -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{172975EB-9465-4861-95B5-C7BB6D3DE62A}" = DocumentViewer
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK
"{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{2C5D07FB-31A2-4F2D-9FDA-0B24ACD42BD0}" = HP Deskjet Printer Preload
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices
"{33D6CC28-9F75-4d1b-A11D-98895B3A3729}" = HP Photosmart 330,380,420,470,7800,8000,8200 Series
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1
"{382E94C0-6E22-44e4-B003-8EB31DFE296F}" = cp_LightScribeConfig
"{3912A629-0020-0005-3757-2FBA74D4DF0A}" = InterVideo WinDVD Player
"{3BA95526-6AE0-4B87-A62D-17187EF565FC}" = HP Boot Optimizer
"{3E386744-10FA-44b2-98C9-DF7A270DECB3}" = HP PSC & OfficeJet 5.3.A
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{567C23E1-7580-4185-B8C2-30805677297C}" = NewCopy_CDA
"{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{755EC5E3-FD51-46bd-A57F-7A2D56FBF061}" = PSTAPlugin
"{769A295C-DCF4-41d6-AFBA-7D9394B23AFE}" = PSPrinters08
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD Player
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A3455242-DAE0-4523-8242-FD82706ABF4B}" = CameraDrivers
"{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour
"{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}" = Wizard101
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{ABBD4BA8-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro Titanium Maximum Security
"{ABBD4BA9-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro™ Titanium™ Maximum Security
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B276997E-4367-4b1b-A39C-4CAE7464337A}" = AiO_Scan_CDA
"{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone
"{B60E7826-F117-4d26-8165-D2DC5A494AB0}" = Fax_CDA
"{B64E3AFC-59EF-4f18-BF11-E751462450D3}" = AiOSoftwareNPI
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{C104580B-1C79-4d73-9BF0-CA0B184296A4}" = cp_LightScribePlugin
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C83A12B9-B31B-461A-BBD4-CE9B988094F1}" = HP Photosmart Cameras 5.0
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{D518592A-0F1E-40ca-BECB-3D3F026C6B0D}" = CameraDrivers
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}" = HP Software Update
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F80239D8-7811-4D5E-B033-0D0BBFE32920}" = HP DigitalMedia Archive
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Agere Systems Soft Modem" = Agere Systems PCI-SV92PP Soft Modem
"am-catwashtm" = Cat Wash™
"am-farmersmarket" = Farmers Market
"am-mykingdomfortheprincessii" = My Kingdom For The Princess II
"am-natgeogamesbuilditgreenbacktothebeach" = Nat Geo Games Build It Green! Back to the Beach
"am-rachelsretreat" = Rachel's Retreat
"am-roadsofrome" = Roads of Rome
"am-robinsquestalegendborn" = Robin's Quest - A Legend Born
"am-royaltrouble" = Royal Trouble
"am-skiresortmogul" = Ski Resort Mogul
"am-snarkbusterswelcometotheclub" = Snark Busters - Welcome to the Club
"am-thefifthgate" = The Fifth Gate
"am-theinstituteabeckybroganadventure" = The Institute - A Becky Brogan Adventure
"am-theislandcastaway" = The Island - Castaway
"am-youdasafari" = Youda Safari
"am-youdasurvivor" = Youda Survivor
"ATI Display Driver" = ATI Display Driver
"AwayMode160" = Microsoft Away Mode
"DISCover" = DISCover
"HP Document Viewer" = HP Document Viewer 5.3
"HP Image Zone for Media Center PC" = HP Image Zone for Media Center PC
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Photo & Imaging" = HP Image Zone 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"HPOOVClient-9972322 Uninstaller" = Updates from HP (remove only)
"ie8" = Windows Internet Explorer 8
"IntelliMover Data Transfer Demo" = Remove IntelliMover Demo
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Money2005b" = Microsoft Money 2005
"PS2" = PS2
"pywin32-py2.2" = Python 2.2 pywin32 extensions (build 203)
"RealPlayer 6.0" = RealPlayer
"ViewpointMediaPlayer" = Viewpoint Media Player
"Web Games Player Plugin" = Web Games Player Plugin
"Windows Media Format Runtime" = Windows Media Format Runtime

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1530636030-2427805075-3282295006-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/2/2010 4:49:45 PM | Computer Name = YOUR-4DACD0EA75 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 11/2/2010 4:49:45 PM | Computer Name = YOUR-4DACD0EA75 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/3/2010 2:13:49 PM | Computer Name = YOUR-4DACD0EA75 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 11/6/2010 4:37:36 PM | Computer Name = YOUR-4DACD0EA75 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/6/2010 10:54:32 PM | Computer Name = YOUR-4DACD0EA75 | Source = Media Center Extender Services | ID = 36865
Description = ERROR: Device Service Listener - UDP networking failed. Error code
0x8007277A.

Error - 11/7/2010 12:26:36 PM | Computer Name = YOUR-4DACD0EA75 | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\Administrator\Local
Settings\Temporary Internet Files\Content.IE5\UNS18Z0T\HiJackThis[1].msi is not
permitted due to an error in software restriction policy processing. The object
cannot be trusted.

Error - 11/7/2010 3:04:02 PM | Computer Name = YOUR-4DACD0EA75 | Source = Media Center Extender Services | ID = 36865
Description = ERROR: Device Service Listener - UDP networking failed. Error code
0x8007277A.

Error - 11/7/2010 3:11:22 PM | Computer Name = YOUR-4DACD0EA75 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 11/7/2010 3:20:24 PM | Computer Name = YOUR-4DACD0EA75 | Source = Media Center Extender Services | ID = 36865
Description = ERROR: Device Service Listener - UDP networking failed. Error code
0x8007277A.

Error - 11/7/2010 6:13:16 PM | Computer Name = YOUR-4DACD0EA75 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 10/16/2010 7:27:17 PM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/17/2010 1:58:53 AM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/17/2010 10:04:22 AM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/17/2010 10:05:07 AM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 10/17/2010 10:05:21 AM | Computer Name = YOUR-4DACD0EA75 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AmdK8 Fips SASDIFSV SASKUTIL

Error - 10/17/2010 10:06:35 AM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/17/2010 10:07:18 AM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/17/2010 10:09:19 AM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/17/2010 10:09:58 AM | Computer Name = YOUR-4DACD0EA75 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AmdK8 Fips SASDIFSV SASKUTIL

Error - 10/17/2010 10:21:10 AM | Computer Name = YOUR-4DACD0EA75 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 08 November 2010 - 11:24 PM

Hello, KLong1273.

Thanks for the update. Let's take a deeper look.



Step 1

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.



Step 2

Scan With RKUnHooker

  • Please Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 KLong1273

KLong1273
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 09 November 2010 - 10:57 AM

Ok I have the MBR log, but I cannot download RKUnHooker. Every time I click on it I get "Internet Explorer cannot disply the webpage".

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 102):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FD000 \WINDOWS\system32\hal.dll
0xF7AA3000 \WINDOWS\system32\KDCOM.DLL
0xF79B3000 \WINDOWS\system32\BOOTVID.dll
0xF7554000 ACPI.sys
0xF7AA5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7543000 pci.sys
0xF75A3000 isapnp.sys
0xF75B3000 ohci1394.sys
0xF75C3000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7B6B000 pciide.sys
0xF7823000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7AA7000 viaide.sys
0xF7AA9000 intelide.sys
0xF75D3000 MountMgr.sys
0xF7524000 ftdisk.sys
0xF7AAB000 dmload.sys
0xF74FE000 dmio.sys
0xF782B000 PartMgr.sys
0xF75E3000 VolSnap.sys
0xF7429000 iaStor.sys
0xF7411000 atapi.sys
0xF73CE000 ftsata2.sys
0xF73B6000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF75F3000 disk.sys
0xF7603000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7396000 fltMgr.sys
0xF7384000 sr.sys
0xF7613000 bb-run.sys
0xF7833000 PxHelp20.sys
0xF736D000 KSecDD.sys
0xF72E0000 Ntfs.sys
0xF72B3000 NDIS.sys
0xF7298000 Mup.sys
0xF7873000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF7255000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7883000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7643000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7653000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7673000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7232000 \SystemRoot\system32\DRIVERS\ks.sys
0xF721F000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF7683000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A3B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7208000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7693000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76A3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF791B000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF71CF000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76B3000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7943000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7953000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7963000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF719E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76C3000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF783B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF787B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7AB1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF716A000 \SystemRoot\system32\DRIVERS\update.sys
0xF7A67000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76D3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AB5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF76E3000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7ABB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C70000 \SystemRoot\System32\Drivers\Null.SYS
0xF7ABF000 \SystemRoot\System32\Drivers\Beep.SYS
0xF790B000 \SystemRoot\System32\drivers\vga.sys
0xF712E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF7AC3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7933000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF794B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A9F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF70FB000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF70A3000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF707B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF705A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7038000 \SystemRoot\System32\drivers\afd.sys
0xF76F3000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF6F6D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF6EFE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6EB3000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7993000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF79A3000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF786B000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7162000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7713000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF78AB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF78C3000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xF715A000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7AD3000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF7152000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7AD7000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7A97000 \SystemRoot\System32\drivers\Dxapi.sys
0xF795B000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C85000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xF6C4F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF6A64000 \SystemRoot\system32\DRIVERS\srv.sys
0xF67CC000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 19):
0 System Idle Process
4 System
384 C:\WINDOWS\system32\smss.exe
440 csrss.exe
464 C:\WINDOWS\system32\winlogon.exe
512 C:\WINDOWS\system32\services.exe
524 C:\WINDOWS\system32\lsass.exe
680 C:\WINDOWS\system32\svchost.exe
748 svchost.exe
828 C:\WINDOWS\system32\svchost.exe
904 svchost.exe
940 svchost.exe
1252 C:\WINDOWS\explorer.exe
1772 C:\WINDOWS\system32\ctfmon.exe
208 C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OJYH0X8D\Defogger[1].exe
1764 C:\Program Files\Internet Explorer\iexplore.exe
212 C:\Program Files\Internet Explorer\iexplore.exe
784 C:\Program Files\Internet Explorer\iexplore.exe
812 C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YGX4VWFE\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`20af2e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST380011A, Rev: 8.11

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972


Done!

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 09 November 2010 - 07:37 PM

Hello, KLong1273.

Yeah, the site appears to be down. We'll push on.



Step 1

Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 KLong1273

KLong1273
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 10 November 2010 - 09:05 AM

OK, finally got combofix to download.....it couldn't find recovery console (which is there) and tried to download a newer version but couldn't find the internet connection, it also said combofix was out of date and offered to run a limited version since I have no internet connection to update it. I went ahead and ran it.

ComboFix 10-11-03.04 - HP_Administrator 11/10/2010 7:41.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.584 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\etavaresCF.exe
AV: Trend Micro Titanium Maximum Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\mswd
C:\Thumbs.db
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-09 00:33 . 2010-11-09 00:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-11-07 19:26 . 2010-11-07 19:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trend Micro
2010-11-07 19:26 . 2010-11-07 19:15 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-11-07 19:26 . 2010-11-07 19:15 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-11-07 19:26 . 2010-11-07 19:15 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-11-07 19:25 . 2010-11-07 19:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2010-11-07 18:49 . 2010-11-07 18:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-11-07 16:53 . 2010-11-07 16:53 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-11-07 16:45 . 2010-11-07 16:45 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-11-04 23:38 . 2010-11-04 23:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ashtons Family Resort
2010-11-03 16:08 . 2010-11-03 16:08 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Meridian93
2010-10-25 12:37 . 2010-10-25 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\a735af
2010-10-21 14:42 . 2010-10-21 14:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sahmon Games
2010-10-21 02:43 . 2010-10-21 02:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Fugazo
2010-10-19 23:42 . 2010-10-19 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan 2
2010-10-19 23:15 . 2010-10-19 23:15 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Mean Hamster Software
2010-10-19 14:31 . 2010-10-19 14:31 -------- d-----w- c:\documents and settings\HP_Administrator\Saved Games
2010-10-19 08:22 . 2010-10-19 08:22 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\NatGeoGames
2010-10-19 08:22 . 2010-10-19 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NatGeoGames
2010-10-18 11:39 . 2010-10-18 11:39 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2010-10-18 11:39 . 2010-10-18 11:39 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\IsolatedStorage
2010-10-18 11:39 . 2010-10-18 11:39 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\HP
2010-10-17 20:55 . 2010-10-17 20:56 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\TheLostKingdomProphecy
2010-10-17 14:23 . 2010-10-17 14:23 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 14:22 . 2010-10-17 14:22 -------- d-----w- c:\program files\Microsoft Money 2005
2010-10-17 14:22 . 2010-10-17 14:22 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Conduit
2010-10-17 14:13 . 2010-10-17 14:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2010-10-16 23:46 . 2010-10-16 23:46 -------- d-----w- c:\program files\ESET
2010-10-16 23:34 . 2010-10-16 23:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-10-16 23:34 . 2010-10-17 14:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-16 23:09 . 2010-10-16 23:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-16 19:30 . 2010-10-16 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-16 19:30 . 2010-10-16 19:30 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-14 14:21 . 2010-10-14 14:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Jumb-O-Fun Games
2010-10-14 12:35 . 2010-10-14 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-10-14 12:35 . 2010-10-14 12:36 -------- d-----w- c:\program files\NCH Swift Sound
2010-10-14 12:35 . 2010-10-17 14:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\NCH Swift Sound
2010-10-13 19:04 . 2010-10-13 19:04 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 19:15 . 2010-08-24 16:47 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-21 01:18 . 2010-08-21 01:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-21 01:18 . 2010-08-21 01:19 423656 ----a-w- c:\windows\system32\deployJava1.dll
2008-05-06 02:54 . 2008-05-06 02:54 15452536 -c--a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2006-06-20 03:48 . 2006-06-20 03:48 1874873 -c--a-w- c:\program files\quicklookup.exe
2006-06-05 23:57 . 2006-06-05 23:57 397352 -c--a-w- c:\program files\msgr75us.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC}]
2010-11-07 19:15 234832 ----a-w- c:\program files\Trend Micro\AMSP\module\20002\6.5.1234\6.5.1234\TmBpIe32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-03 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2010-11-07 112632]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2010-11-07 1062224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F6D4050 Enhanced Wireless USB Adapter Utility.lnk.disabled [2010-5-28 862]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Kodak EasyShare software.lnk.disabled [2010-5-11 1848]
Updates from HP.lnk.disabled [2008-6-1 989]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-2 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/7/2010 1:26 PM 64080]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [11/7/2010 1:23 PM 196320]
.
Contents of the 'Scheduled Tasks' folder

2010-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-11-05 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 12:00]

2010-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3958178375-4217585030-2624718606-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]

2010-11-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3958178375-4217585030-2624718606-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]

2010-11-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-02-15 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alaweb.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: geekbuddy.com\www
Trusted Zone: trymedia.com
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 07:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.8.11 -> \Device\Ide\IdePort0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x858A3EC5]<<
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x83bd2872; SUB DWORD [EBP-0x4], 0x83bd212e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x85960AB8]
3 CLASSPNP[0xF75D105B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\00000065[0x859A8710]
5 ACPI[0xF7447620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x859CAD98]
[0x855F14F8] -> IRP_MJ_CREATE -> 0x858A3EC5
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected hooks:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskST380011A_______________________________8.11____#4a3557564a344358202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x858A3AEA
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

Filesystem trace:
called modules: ntkrnlpa.exe hal.dll catchme.sys fltMgr.sys tmevtmgr.sys bb-run.sys sr.sys Ntfs.sys
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\catchme.sys
c:\windows\system32\DRIVERS\tmevtmgr.sys Trend Micro Inc. Trend Micro AEGIS
c:\windows\system32\drivers\bb-run.sys Promise Technology, Inc. Promise® Disk Accelerator
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x84F75420]
3 fltMgr[0xF7286E95] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x855F3C78]
5 bb-run[0xF75E47E1] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x855F3A28]
7 sr[0xF7276870] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x855F2020]
9 ntkrnlpa[0x8057E6FD] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x84F75420]
11 fltMgr[0xF7287098] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x855F3C78]
13 bb-run[0xF75E1014] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x855F3A28]
15 sr[0xF7271453] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x855F2020]

Registry trace:
called modules: ntkrnlpa.exe hal.dll

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\wininet.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\wininet.dll
.
Completion time: 2010-11-10 07:57:05
ComboFix-quarantined-files.txt 2010-11-10 13:56

Pre-Run: 6,874,521,600 bytes free
Post-Run: 8,455,278,592 bytes free

- - End Of File - - 7499114E999C16DD133449ACBB02E6BE

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 10 November 2010 - 07:47 PM

Hmmm, please delete your copy and download it again and run. Reduced Functionality mode is exactly that. If it can't download the new copy, cancel out and let me know.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 KLong1273

KLong1273
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 11 November 2010 - 11:41 AM

ComboFix 10-11-10.03 - HP_Administrator 11/11/2010 10:08:45.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.640 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\etavaresCF.exe
AV: Trend Micro Titanium Maximum Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2010-10-11 to 2010-11-11 )))))))))))))))))))))))))))))))
.

2010-11-09 00:33 . 2010-11-09 00:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-11-07 19:26 . 2010-11-07 19:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trend Micro
2010-11-07 19:26 . 2010-11-07 19:15 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-11-07 19:26 . 2010-11-07 19:15 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-11-07 19:26 . 2010-11-07 19:15 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-11-07 19:25 . 2010-11-07 19:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2010-11-07 18:49 . 2010-11-07 18:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-11-07 16:53 . 2010-11-07 16:53 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-11-07 16:45 . 2010-11-07 16:45 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-11-04 23:38 . 2010-11-04 23:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ashtons Family Resort
2010-11-03 16:08 . 2010-11-03 16:08 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Meridian93
2010-10-25 12:37 . 2010-10-25 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\a735af
2010-10-21 14:42 . 2010-10-21 14:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sahmon Games
2010-10-21 02:43 . 2010-10-21 02:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Fugazo
2010-10-19 23:42 . 2010-10-19 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan 2
2010-10-19 23:15 . 2010-10-19 23:15 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Mean Hamster Software
2010-10-19 14:31 . 2010-10-19 14:31 -------- d-----w- c:\documents and settings\HP_Administrator\Saved Games
2010-10-19 08:22 . 2010-10-19 08:22 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\NatGeoGames
2010-10-19 08:22 . 2010-10-19 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NatGeoGames
2010-10-18 11:39 . 2010-10-18 11:39 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2010-10-18 11:39 . 2010-10-18 11:39 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\IsolatedStorage
2010-10-18 11:39 . 2010-10-18 11:39 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\HP
2010-10-17 20:55 . 2010-10-17 20:56 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\TheLostKingdomProphecy
2010-10-17 14:23 . 2010-10-17 14:23 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 14:22 . 2010-10-17 14:22 -------- d-----w- c:\program files\Microsoft Money 2005
2010-10-17 14:22 . 2010-10-17 14:22 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Conduit
2010-10-17 14:13 . 2010-10-17 14:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2010-10-16 23:46 . 2010-10-16 23:46 -------- d-----w- c:\program files\ESET
2010-10-16 23:34 . 2010-10-16 23:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-10-16 23:34 . 2010-10-17 14:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-16 23:09 . 2010-10-16 23:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-16 19:30 . 2010-10-16 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-16 19:30 . 2010-10-16 19:30 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-14 14:21 . 2010-10-14 14:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Jumb-O-Fun Games
2010-10-14 12:35 . 2010-10-14 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-10-14 12:35 . 2010-10-14 12:36 -------- d-----w- c:\program files\NCH Swift Sound
2010-10-14 12:35 . 2010-10-17 14:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\NCH Swift Sound
2010-10-13 19:04 . 2010-10-13 19:04 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 19:15 . 2010-08-24 16:47 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-21 01:18 . 2010-08-21 01:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-21 01:18 . 2010-08-21 01:19 423656 ----a-w- c:\windows\system32\deployJava1.dll
2008-05-06 02:54 . 2008-05-06 02:54 15452536 -c--a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2006-06-20 03:48 . 2006-06-20 03:48 1874873 -c--a-w- c:\program files\quicklookup.exe
2006-06-05 23:57 . 2006-06-05 23:57 397352 -c--a-w- c:\program files\msgr75us.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-03 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2010-11-07 112632]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2010-11-07 1062224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F6D4050 Enhanced Wireless USB Adapter Utility.lnk.disabled [2010-5-28 862]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Kodak EasyShare software.lnk.disabled [2010-5-11 1848]
Updates from HP.lnk.disabled [2008-6-1 989]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-2 27136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [11/7/2010 1:23 PM 196320]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/7/2010 1:26 PM 64080]
.
Contents of the 'Scheduled Tasks' folder

2010-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-11-11 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 12:00]

2010-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3958178375-4217585030-2624718606-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]

2010-11-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3958178375-4217585030-2624718606-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]

2010-11-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-02-15 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alaweb.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 0a000000
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 01000000
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 1a000000
uInternet Connection Wizard,ShellNext = 1a000000
uInternet Connection Wizard,ShellNext = Microsoft Corporation
uInternet Connection Wizard,ShellNext = MICROSO
uInternet Connection Wizard,ShellNext = 6.00.2800.1017
uInternet Connection Wizard,ShellNext = no
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = \0
uInternet Connection Wizard,ShellNext = about:NoAdd-ons
uInternet Connection Wizard,ShellNext = about:SecurityRisk
uInternet Connection Wizard,ShellNext = yes
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: geekbuddy.com\www
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-11 10:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-11 10:38:23
ComboFix-quarantined-files.txt 2010-11-11 16:38
ComboFix2.txt 2010-11-10 13:57

Pre-Run: 8,093,372,416 bytes free
Post-Run: 8,421,187,584 bytes free

- - End Of File - - 00C9C23EE845A039DD60D81041D687CE

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 11 November 2010 - 07:06 PM

Hello, KLong1273.

Much better. :) How is it running now? Combofix did detect a backdoor rootkit. Looks like TDL2 rootkit.


Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Documents and Settings\All Users\Application Data\a735af
C:\Documents and Settings\All Users\Application Data\mswd
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000000
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 KLong1273

KLong1273
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 11 November 2010 - 11:29 PM

Running much better now. No more redirects so far and all of the programs I am running can tell that I have an internet connection now. We really only use this computer for playing games and surfing the internet, no banking or anything sensitive. Do you think I need to reformat and reinstall or would it be ok with a really good antivirus and firewall? What do you recommend?

ComboFix 10-11-10.03 - HP_Administrator 11/11/2010 22:12:18.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.668 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\etavaresCF.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Trend Micro Titanium Maximum Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\a735af
c:\documents and settings\All Users\Application Data\a735af\SMa73_302.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-12 to 2010-11-12 )))))))))))))))))))))))))))))))
.

2010-11-09 00:33 . 2010-11-09 00:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-11-07 19:26 . 2010-11-07 19:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trend Micro
2010-11-07 19:26 . 2010-11-07 19:15 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2010-11-07 19:26 . 2010-11-07 19:15 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-11-07 19:26 . 2010-11-07 19:15 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-11-07 19:25 . 2010-11-07 19:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2010-11-07 18:49 . 2010-11-07 18:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-11-07 16:53 . 2010-11-07 16:53 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-11-07 16:45 . 2010-11-07 16:45 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-11-04 23:38 . 2010-11-04 23:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ashtons Family Resort
2010-11-03 16:08 . 2010-11-03 16:08 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Meridian93
2010-10-21 14:42 . 2010-10-21 14:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sahmon Games
2010-10-21 02:43 . 2010-10-21 02:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Fugazo
2010-10-19 23:42 . 2010-10-19 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Becky Brogan 2
2010-10-19 23:15 . 2010-10-19 23:15 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Mean Hamster Software
2010-10-19 14:31 . 2010-10-19 14:31 -------- d-----w- c:\documents and settings\HP_Administrator\Saved Games
2010-10-19 08:22 . 2010-10-19 08:22 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\NatGeoGames
2010-10-19 08:22 . 2010-10-19 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NatGeoGames
2010-10-18 11:39 . 2010-10-18 11:39 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2010-10-18 11:39 . 2010-10-18 11:39 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\IsolatedStorage
2010-10-18 11:39 . 2010-10-18 11:39 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\HP
2010-10-17 20:55 . 2010-10-17 20:56 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\TheLostKingdomProphecy
2010-10-17 14:23 . 2010-10-17 14:23 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 14:22 . 2010-10-17 14:22 -------- d-----w- c:\program files\Microsoft Money 2005
2010-10-17 14:22 . 2010-10-17 14:22 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Conduit
2010-10-17 14:13 . 2010-10-17 14:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2010-10-16 23:46 . 2010-10-16 23:46 -------- d-----w- c:\program files\ESET
2010-10-16 23:34 . 2010-10-16 23:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-10-16 23:34 . 2010-10-17 14:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-16 23:09 . 2010-10-16 23:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-16 19:30 . 2010-10-16 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-16 19:30 . 2010-10-16 19:30 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-14 14:21 . 2010-10-14 14:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Jumb-O-Fun Games
2010-10-14 12:35 . 2010-10-14 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-10-14 12:35 . 2010-10-14 12:36 -------- d-----w- c:\program files\NCH Swift Sound
2010-10-14 12:35 . 2010-10-17 14:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\NCH Swift Sound
2010-10-13 19:04 . 2010-10-13 19:04 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 19:15 . 2010-08-24 16:47 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-21 01:18 . 2010-08-21 01:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-21 01:18 . 2010-08-21 01:19 423656 ----a-w- c:\windows\system32\deployJava1.dll
2008-05-06 02:54 . 2008-05-06 02:54 15452536 -c--a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2006-06-20 03:48 . 2006-06-20 03:48 1874873 -c--a-w- c:\program files\quicklookup.exe
2006-06-05 23:57 . 2006-06-05 23:57 397352 -c--a-w- c:\program files\msgr75us.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-03 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2010-11-07 112632]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2010-11-07 1062224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F6D4050 Enhanced Wireless USB Adapter Utility.lnk.disabled [2010-5-28 862]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Kodak EasyShare software.lnk.disabled [2010-5-11 1848]
Updates from HP.lnk.disabled [2008-6-1 989]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-2 27136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/7/2010 1:26 PM 64080]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [11/7/2010 1:23 PM 196320]
.
Contents of the 'Scheduled Tasks' folder

2010-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-11-11 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 12:00]

2010-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3958178375-4217585030-2624718606-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]

2010-11-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3958178375-4217585030-2624718606-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]

2010-11-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-02-15 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alaweb.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: geekbuddy.com\www
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-11 22:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-11 22:22:42
ComboFix-quarantined-files.txt 2010-11-12 04:22
ComboFix2.txt 2010-11-11 16:38
ComboFix3.txt 2010-11-10 13:57

Pre-Run: 7,908,360,192 bytes free
Post-Run: 8,085,680,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 7BF418408F9A13A0F661A7F3BDC72495

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 13 November 2010 - 07:10 AM

Hello, KLong1273.

It's really up to you. We can get the computer running back to normal, but we'll never be 100% sure we removed the all virus. Of course, you have that risk the second you plug any computer into the internet. If the perfect virus was written, you'd have no idea it was on your computer. We did stop the symptoms from this rootkit. It's really up to you if you want to reformat or continue to use it. Many people chose each path.




Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 22 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 22 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586-p.exe to install the newest version.



Step 2

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 4

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    :OTL
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\intelppm.sys -- (intelppm)
    IE - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\Toolbar\WebBrowser: (no name) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No CLSID value found.
    O3 - HKU\S-1-5-21-1530636030-2427805075-3282295006-1008\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKLM..\Run: [USRpdA] File not found
    O4 - Startup: C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\IMVU.lnk = C:\Documents and Settings\HP_Administrator\Application Data\IMVUClient\IMVUQualityAgent.exe File not found
    @Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6444B424
    @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89C2A42C
    @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:21622A66
    @Alternate Data Stream - 239 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6E11933F
    @Alternate Data Stream - 237 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:91FFEC32
    @Alternate Data Stream - 236 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:178093AE
    @Alternate Data Stream - 234 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:70E897B5
    @Alternate Data Stream - 231 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:596E2371
    @Alternate Data Stream - 230 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B09C4D9
    @Alternate Data Stream - 225 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F67AAFC5
    @Alternate Data Stream - 224 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A3B8F70C
    @Alternate Data Stream - 223 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DE9AC04F
    @Alternate Data Stream - 223 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5FA4CB99
    @Alternate Data Stream - 220 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0E22C5DB
    @Alternate Data Stream - 218 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98982C88
    @Alternate Data Stream - 217 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D055FC10
    @Alternate Data Stream - 216 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1F96ED45
    @Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F9E46E4C
    @Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FA72FF8
    @Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8BCF4DE2
    @Alternate Data Stream - 215 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:700B9342
    @Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E41267F2
    @Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5E2BAEE
    @Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7AF9CAEB
    @Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0E684AC9
    @Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2397415
    @Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1713795
    @Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C22674B6
    @Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:47A24D4B
    @Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:02B823FE
    @Alternate Data Stream - 212 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B6DD2C7E
    @Alternate Data Stream - 211 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F5E4BCD5
    @Alternate Data Stream - 211 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:041C0562
    @Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E5DE9C8F
    @Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6F55EB66
    @Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:496D1709
    @Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:417B6FAC
    @Alternate Data Stream - 210 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:11EFE63D
    @Alternate Data Stream - 209 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:164FA86E
    @Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BFAD7A5D
    @Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:097FF903
    @Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FDCAE7B5
    @Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D4C72290
    @Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AA60673F
    @Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F96D8E6
    @Alternate Data Stream - 204 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ADDDF689
    @Alternate Data Stream - 204 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0860D6D6
    @Alternate Data Stream - 203 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D7DA89B1
    @Alternate Data Stream - 202 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A4BF246C
    @Alternate Data Stream - 202 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7CEDF9F3
    @Alternate Data Stream - 202 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:375FC7E7
    @Alternate Data Stream - 201 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E91ADC66
    @Alternate Data Stream - 201 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D92485C9
    @Alternate Data Stream - 200 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E06C78F
    @Alternate Data Stream - 200 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3766E957
    @Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6BF0805F
    @Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3D36932D
    @Alternate Data Stream - 198 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EC0A74A1
    @Alternate Data Stream - 198 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB16385F
    @Alternate Data Stream - 198 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9726EA15
    @Alternate Data Stream - 197 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EB5BDBB0
    @Alternate Data Stream - 197 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:385E2CFD
    @Alternate Data Stream - 196 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C9FD258B
    @Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E3F37A7D
    @Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D29191BC
    @Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A688EF17
    @Alternate Data Stream - 195 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:592D7272
    @Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8247A199
    @Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:569CEE83
    @Alternate Data Stream - 192 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A866F8A3
    @Alternate Data Stream - 192 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5E9B629B
    @Alternate Data Stream - 189 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6881EE7
    @Alternate Data Stream - 188 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BABA07C2
    @Alternate Data Stream - 188 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:28CDD861
    @Alternate Data Stream - 187 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E84CA8F2
    @Alternate Data Stream - 187 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D0D17155
    @Alternate Data Stream - 187 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:02A78DF6
    @Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF61CE5A
    @Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F1019FF
    @Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A8BB29B
    @Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1A4BF204
    @Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:86725A4F
    @Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:71612023
    @Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EB86F355
    @Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:56F368C9
    @Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DD04902E
    @Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C48A983C
    @Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57176330
    @Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4A448DB2
    @Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0EC7A545
    @Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C72A744C
    @Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E883A78D
    @Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F84B8DB5
    @Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:393F7B1E
    @Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CFFC9DD0
    @Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0FA1EAA7
    @Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C820549A
    @Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7FCB9D0D
    @Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:40EE25BB
    @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9547F1DB
    @Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7A032A04
    @Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:413E2927
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8F9D810
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A02025CE
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:206470A5
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F6AC518
    @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FB647F34
    @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AE2EA3C2
    @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ADFAD95A
    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E5816AB5
    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D9987109
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AEEC88F6
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8B2A99C5
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4709F39D
    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98F6F85C
    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:48977386
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DB77E2C4
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3F2212BB
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38E2864F
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E2B84483
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6CDBCAC
    @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C611D6C8
    @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:370E4EFB
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F986CC21
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EA701346
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ACCFA538
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D52F295
    @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69E3AF64
    @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:22313216
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:29861223
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:25BB767E
    @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E9A3410
    @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:12D9D48F
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6813E7F4
    @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3790BACD
    @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BA46F44F
    @Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BB3CECA4
    @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9C012695
    @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C74009E5
    @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:37994DBE
    :Commands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 5

Please go to the Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Note: Kaspersky online scan may take time to complete, please be patient.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 18 November 2010 - 06:57 PM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 21 November 2010 - 12:01 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users