Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

thinkpoint rootkit?


  • Please log in to reply
9 replies to this topic

#1 jdickherber

jdickherber

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 12 November 2010 - 03:34 PM

Hi,

I am attempting to remove ThinkPoint (and whatever else is with it) from someone's laptop. I attempted to follow your ThinkPoint removal guide here:

http://www.bleepingcomputer.com/virus-removal/remove-thinkpoint

Up to step 16, MalwareBytes would install but not run. I had to rename mbam.exe to something else (2222mbam.exe) in order to get it to run. (manually replaced rules.ref with an updated one). I ran a scan, it found objects (Vundo), rebooted, and removed them. After reboot I renamed the file back to mbam.exe and it still would not run, indicating some malware was still running. Per this post, I ran rkill and then SuperAntiSpyware portable.

http://www.bleepingcomputer.com/forums/topic354951.html

SAS found and removed another Vundo object.

Rebooted to safe mode, installed spybot & spybot updates. Spybot would not run even in safe mode (neither would mbam); had to rename spybotsd.exe to 222spybotsd.exe. Spybot found and removed vundo again. Rebooted. MBAM would not run.

Uninstalled mbam. Rebooted. Ran mbam-clean.exe. Rebooted. Reinstalled MBAM. Again replaced rules.ref with updated one. Attempted to run mbam.exe and would not run unless renaming.

Scanned with MBAM again full scan, finds no objects. Something is obviously still there though, since mbam will not run unless renamed.

Thank you for your assistance!

EDIT: Sorry for not reading the preparation topic before; I attached my DDS and GMER logs. GMER said: "GMER has found system modification caused by ROOTKIT activity."

DDS log:


DDS (Ver_10-11-10.01) - NTFSx86
Run by laptop at 14:47:40.78 on Fri 11/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1333 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\PROGRA~1\SMILEY~2\bar\1.bin\1wbrmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\laptop\Application Data\U3\34853211B3D2AD31\LaunchPad.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Documents and Settings\laptop\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://everythingy.com/ie/home
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: N/A: {339a0dff-d9af-439b-92bc-636220fb3dae} - c:\program files\smileycentralie_1w\bar\1.bin\1wSrcAs.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Toolbar BHO: {55cde9e7-696c-47c4-8e21-7210b8aeb103} - c:\progra~1\smiley~2\bar\1.bin\1wbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: SmileyCentral: {d3ca5551-fc2e-4d09-8ece-263607acf9fc} - c:\program files\smileycentralie_1w\bar\1.bin\1wbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Clearwire Connection Manager] "c:\program files\clearwire\connection manager\ClearwireCM.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [lxcymon.exe] "c:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [EzPrint] "c:\program files\lexmark 3400 series\ezprint.exe"
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [SmileyCentralIE_1w Browser Plugin Loader] c:\progra~1\smiley~2\bar\1.bin\1wbrmon.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVw"&"inst=NwA3AC0ANAAyADMAMAA0ADIAMwA5ADQALQBGAFAAOQArADY"&"prod=90"&"ver=9.0.864
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\windows\system32\nokoteja.dll zivorode.dll c:\windows\system32\jeduyohe.dll c:\windows\system32\putabese.dll c:\windows\system32\mureleni.dll
SSODL: lutuvegaf - {8351286a-6a17-498c-97dd-ef5d9092cbcb} - c:\windows\system32\nokoteja.dll
SSODL: reyurihit - {ea0379f1-4ca8-4f92-8c10-62a5d7b55ec3} - c:\windows\system32\mureleni.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: kupuhivus: {8351286a-6a17-498c-97dd-ef5d9092cbcb} - c:\windows\system32\nokoteja.dll
STS: mujuzedij: {ea0379f1-4ca8-4f92-8c10-62a5d7b55ec3} - c:\windows\system32\mureleni.dll
LSA: Notification Packages = scecli zuhalovo.dll

============= SERVICES / DRIVERS ===============

R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [2010-2-26 13416]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2010-2-26 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [2010-2-26 29928]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [2010-2-26 37480]
R1 SASDIFSV;SASDIFSV;c:\docume~1\laptop\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\laptop\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-4-20 47640]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\clearwire\connection manager\DeviceLaunchSvc.exe [2009-11-9 107856]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [2010-1-4 22504]
R4 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 gupdate1ca18bc1c29e48a;Google Update Service (gupdate1ca18bc1c29e48a);c:\program files\google\update\GoogleUpdate.exe [2009-8-9 133104]
S2 SmileyCentralIE_1wService;SmileyCentral Service;c:\progra~1\smiley~2\bar\1.bin\1wbarsvc.exe [2010-10-3 28766]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\ATMFBUS.sys [2009-11-8 38528]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\ATMFCVsp.sys [2009-11-8 54656]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\ATMFFLT.sys [2009-11-8 11520]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\ATMFMdm.sys [2009-11-8 54528]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\ATMFNET.sys [2009-11-8 103424]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\ATMFNVsp.sys [2009-11-8 54656]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\ATMFVsp.sys [2009-11-8 54656]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\clearwire\connection manager\RcAppSvc.exe [2009-11-9 120144]
S3 cpuz132;cpuz132;\??\c:\docume~1\laptop\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\laptop\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2010-4-14 14496]
S3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\drivers\uts_bus.sys [2009-8-8 84352]
S3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\drivers\uts_mdfl.sys [2009-8-8 14976]
S3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\drivers\uts_mdm.sys [2009-8-8 110848]
S3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\uts_serd.sys [2009-8-8 90880]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-11-12 19:45:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-12 19:45:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-12 19:45:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-11 22:43:21 -------- d-----w- c:\docume~1\laptop\applic~1\SUPERAntiSpyware.com
2010-11-11 22:43:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-28 23:37:08 -------- d-----w- c:\docume~1\laptop\locals~1\applic~1\Deployment

==================== Find3M ====================

2010-11-12 19:56:18 1409 ----a-w- c:\windows\QTFont.for
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BEVS-75RST0 rev.04.01G04 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A79DECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8901c879; SUB DWORD [EBP-0x4], 0x8901c135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A807AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000008f[0x8A809F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A77BB00]
[0x8A7266B0] -> IRP_MJ_CREATE -> 0x8A79DECC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BEVS-75RST0____________________04.01G04#5&314e625d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A79DAF1
user & kernel MBR OK
sectors 156301486 (+215): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:49:24.17 ===============

Attached Files


Edited by jdickherber, 12 November 2010 - 04:06 PM.


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:26 AM

Posted 16 November 2010 - 03:54 PM

Hi jdickherber and welcome to Bleeping Computer.

Step 1
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next reply.

Step 2
  • Download OTL to your desktop.
    right click on the link and select 'Save Link/Target As'.

    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.
Posted Image
  • Now copy the lines in bold below.

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT


  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

    Posted Image
    .
  • Click the Run Scan button.

    Posted Image
  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

In your next reply, please submit:
TDSSKiller report
and both reports from OTL


Thanks.

BBPP6nz.png


#3 jdickherber

jdickherber
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 16 November 2010 - 04:14 PM

Hi Starbuck,

Thank you for your assistance. I actually found and used TDSSKiller yesterday on your forums from other posts. It did find and remove the rootkit "Rootkit.Win32.TDSS.tdl3" from isapnp.sys

The computer seems to be functioning after that. MalwareBytes and Spybot run normally and find no objects. DDS and GMER no longer detect anything. I did also run RKUnhooker from your forums and it has a number of lines for "WARNING: virus alike driver modification". I will post that as well if requested.

Here are the TDSSKiller and OTL Logs:

2010/11/15 09:33:18.0859 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2010/11/15 09:33:18.0859 ================================================================================
2010/11/15 09:33:18.0859 SystemInfo:
2010/11/15 09:33:18.0859
2010/11/15 09:33:18.0859 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/15 09:33:18.0859 Product type: Workstation
2010/11/15 09:33:18.0859 ComputerName: HOME
2010/11/15 09:33:18.0859 UserName: laptop
2010/11/15 09:33:18.0859 Windows directory: C:\WINDOWS
2010/11/15 09:33:18.0859 System windows directory: C:\WINDOWS
2010/11/15 09:33:18.0859 Processor architecture: Intel x86
2010/11/15 09:33:18.0859 Number of processors: 2
2010/11/15 09:33:18.0859 Page size: 0x1000
2010/11/15 09:33:18.0859 Boot type: Normal boot
2010/11/15 09:33:18.0859 ================================================================================
2010/11/15 09:33:19.0171 Initialize success
2010/11/15 09:33:21.0640 ================================================================================
2010/11/15 09:33:21.0640 Scan started
2010/11/15 09:33:21.0640 Mode: Manual;
2010/11/15 09:33:21.0640 ================================================================================
2010/11/15 09:33:22.0765 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/15 09:33:22.0796 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/15 09:33:22.0859 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/15 09:33:22.0906 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/15 09:33:23.0031 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/15 09:33:23.0156 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/15 09:33:23.0171 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/15 09:33:23.0343 ati2mtag (3b88b6466896cc1a3a7e3287d72aca85) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/15 09:33:23.0390 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/15 09:33:23.0437 ATMFBUS (28b3f7d066cad30c5b8e23270c9f9ac9) C:\WINDOWS\system32\DRIVERS\ATMFBUS.sys
2010/11/15 09:33:23.0468 ATMFCVsp (94dac789c1826517909b62f4ce90bcc2) C:\WINDOWS\system32\DRIVERS\ATMFCVsp.sys
2010/11/15 09:33:23.0515 ATMFFLT (752b9969856c32da6ce3aca56fba53e9) C:\WINDOWS\system32\DRIVERS\ATMFFLT.sys
2010/11/15 09:33:23.0546 ATMFMdm (7b22209400ff758a6265852fb0f89413) C:\WINDOWS\system32\DRIVERS\ATMFMdm.sys
2010/11/15 09:33:23.0578 ATMFNET (a292013720a797e7740f8d7ce27f4755) C:\WINDOWS\system32\DRIVERS\ATMFNET.sys
2010/11/15 09:33:23.0593 ATMFNVsp (4bf654c6fe0c8685a6d1c608b1ec26e1) C:\WINDOWS\system32\DRIVERS\ATMFNVsp.sys
2010/11/15 09:33:23.0609 ATMFVsp (e0ad6b1cb4a36a3530bef0b7d589947e) C:\WINDOWS\system32\DRIVERS\ATMFVsp.sys
2010/11/15 09:33:23.0656 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/15 09:33:23.0687 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/11/15 09:33:23.0750 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/11/15 09:33:23.0796 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/15 09:33:23.0828 BMLoad (98f4630b5867d911ad6eae79874bf5e6) C:\WINDOWS\system32\drivers\BMLoad.sys
2010/11/15 09:33:23.0890 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/15 09:33:23.0984 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/15 09:33:24.0171 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/15 09:33:24.0390 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/15 09:33:24.0562 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/15 09:33:24.0609 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/11/15 09:33:24.0687 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/11/15 09:33:24.0718 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/11/15 09:33:24.0921 CVirtA (72f820e457bc8a1c61aeb86df89dd41a) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/11/15 09:33:25.0000 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/15 09:33:25.0062 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/15 09:33:25.0125 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/15 09:33:25.0171 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/15 09:33:25.0203 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/15 09:33:25.0265 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/15 09:33:25.0312 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/15 09:33:25.0343 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/11/15 09:33:25.0359 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/15 09:33:25.0375 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/15 09:33:25.0437 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/15 09:33:25.0468 fortiapd (9ba658b554fa42b0f3eef9e40d32acc2) C:\WINDOWS\system32\drivers\fortiapd.sys
2010/11/15 09:33:25.0515 Fortidrv2 (eff623353d292d52c6c353da24a6242d) C:\WINDOWS\system32\DRIVERS\fortidrv.sys
2010/11/15 09:33:25.0531 Fortips (1756416a4b5e9d78599a34ee013db3b1) C:\WINDOWS\system32\drivers\fortips.sys
2010/11/15 09:33:25.0562 FortiRdr (9f08f6a3a0d104996886a8357d6a6aae) C:\WINDOWS\system32\drivers\FortiRdr.sys
2010/11/15 09:33:25.0578 FortiShield (539ed15f3ca91de30b16c0021be4fc37) C:\WINDOWS\system32\drivers\FortiShield.sys
2010/11/15 09:33:25.0593 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/15 09:33:25.0625 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/15 09:33:25.0671 ft_vnic (6f8ac27b43ece9504fa5d521e086a92a) C:\WINDOWS\system32\DRIVERS\ftvnic.sys
2010/11/15 09:33:25.0687 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/15 09:33:25.0750 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/15 09:33:25.0781 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/15 09:33:25.0859 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/11/15 09:33:25.0921 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/11/15 09:33:25.0984 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/11/15 09:33:26.0031 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/11/15 09:33:26.0078 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/11/15 09:33:26.0171 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/15 09:33:26.0265 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/15 09:33:26.0296 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/15 09:33:26.0390 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/15 09:33:26.0437 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/15 09:33:26.0468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/15 09:33:26.0500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/15 09:33:26.0531 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/15 09:33:26.0546 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/15 09:33:26.0593 isapnp (a2f3cd2f01247648595a90c133d0b00e) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/15 09:33:26.0593 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\isapnp.sys. Real md5: a2f3cd2f01247648595a90c133d0b00e, Fake md5: 05a299ec56e52649b1cf2fc52d20f2d7
2010/11/15 09:33:26.0593 isapnp - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/15 09:33:26.0609 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/15 09:33:26.0640 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/15 09:33:26.0687 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/15 09:33:26.0718 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/15 09:33:26.0843 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2010/11/15 09:33:26.0890 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2010/11/15 09:33:26.0953 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2010/11/15 09:33:27.0000 LVPr2Mon (a6919138f29ae45e90e99fa94737e04c) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2010/11/15 09:33:27.0031 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys
2010/11/15 09:33:27.0093 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/11/15 09:33:27.0140 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/15 09:33:27.0203 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/15 09:33:27.0250 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2010/11/15 09:33:27.0281 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/15 09:33:27.0312 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/15 09:33:27.0375 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/15 09:33:27.0406 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/15 09:33:27.0468 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/15 09:33:27.0500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/15 09:33:27.0546 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/15 09:33:27.0578 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/15 09:33:27.0640 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/15 09:33:27.0703 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/15 09:33:27.0734 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/15 09:33:27.0750 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/15 09:33:27.0796 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/15 09:33:27.0828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/15 09:33:27.0859 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/15 09:33:27.0906 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/15 09:33:27.0921 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/15 09:33:27.0937 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/15 09:33:27.0953 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/15 09:33:27.0984 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/15 09:33:28.0015 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/15 09:33:28.0078 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/15 09:33:28.0125 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/15 09:33:28.0171 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/15 09:33:28.0234 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/15 09:33:28.0281 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/15 09:33:28.0296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/15 09:33:28.0328 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/15 09:33:28.0359 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/11/15 09:33:28.0375 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/15 09:33:28.0421 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/15 09:33:28.0437 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/15 09:33:28.0484 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/15 09:33:28.0515 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/11/15 09:33:28.0578 PCTINDIS5 (1e715247efffdda938c085913045d599) C:\WINDOWS\system32\PCTINDIS5.SYS
2010/11/15 09:33:28.0812 PID_PEPI (4bb5ac2dd485b8eefccb977ee66a68ad) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
2010/11/15 09:33:28.0937 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/15 09:33:28.0968 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/15 09:33:28.0984 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/15 09:33:29.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/15 09:33:29.0046 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/15 09:33:29.0171 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/15 09:33:29.0203 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/15 09:33:29.0218 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/15 09:33:29.0234 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/15 09:33:29.0265 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/15 09:33:29.0296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/15 09:33:29.0359 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/15 09:33:29.0406 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/15 09:33:29.0593 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\DOCUME~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS
2010/11/15 09:33:29.0609 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\DOCUME~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS
2010/11/15 09:33:29.0671 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/15 09:33:29.0703 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/15 09:33:29.0718 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/15 09:33:29.0765 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/15 09:33:29.0828 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/15 09:33:29.0906 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/11/15 09:33:29.0937 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/15 09:33:29.0984 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/15 09:33:30.0015 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/15 09:33:30.0109 STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys
2010/11/15 09:33:30.0171 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/11/15 09:33:30.0203 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/15 09:33:30.0218 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/15 09:33:30.0250 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/15 09:33:30.0343 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/15 09:33:30.0406 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/15 09:33:30.0453 tcpipBM (4bed0c7fdf414d1bd26bf33ea673ca49) C:\WINDOWS\system32\drivers\tcpipBM.sys
2010/11/15 09:33:30.0468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/15 09:33:30.0500 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/15 09:33:30.0515 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/15 09:33:30.0578 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/15 09:33:30.0671 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/15 09:33:30.0734 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/11/15 09:33:30.0781 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/15 09:33:30.0812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/15 09:33:30.0828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/15 09:33:30.0890 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/15 09:33:30.0937 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/15 09:33:30.0968 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/15 09:33:31.0015 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/15 09:33:31.0062 uts_bus (df8bb0e93518f74d943046a1162bbcdd) C:\WINDOWS\system32\DRIVERS\uts_bus.sys
2010/11/15 09:33:31.0125 uts_mdfl (3427fe9a31e50d0dac3e062f8dd3be41) C:\WINDOWS\system32\DRIVERS\uts_mdfl.sys
2010/11/15 09:33:31.0187 uts_mdm (8fa13cd6a1cf2612ddbc056d23c5c0ad) C:\WINDOWS\system32\DRIVERS\uts_mdm.sys
2010/11/15 09:33:31.0234 uts_serd (edd4d6275289014457e84ecb60ad5c2d) C:\WINDOWS\system32\DRIVERS\uts_serd.sys
2010/11/15 09:33:31.0312 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/15 09:33:31.0375 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/15 09:33:31.0453 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/15 09:33:31.0515 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/11/15 09:33:31.0578 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/15 09:33:31.0656 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/11/15 09:33:31.0734 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/11/15 09:33:31.0796 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/11/15 09:33:31.0843 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/11/15 09:33:31.0890 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/15 09:33:31.0953 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/15 09:33:31.0984 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/15 09:33:32.0250 ================================================================================
2010/11/15 09:33:32.0250 Scan finished
2010/11/15 09:33:32.0250 ================================================================================
2010/11/15 09:33:32.0265 Detected object count: 1
2010/11/15 09:35:07.0312 isapnp (a2f3cd2f01247648595a90c133d0b00e) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/15 09:35:07.0312 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\isapnp.sys. Real md5: a2f3cd2f01247648595a90c133d0b00e, Fake md5: 05a299ec56e52649b1cf2fc52d20f2d7
2010/11/15 09:35:07.0531 Backup copy found, using it..
2010/11/15 09:35:07.0546 C:\WINDOWS\system32\DRIVERS\isapnp.sys - will be cured after reboot
2010/11/15 09:35:07.0546 Rootkit.Win32.TDSS.tdl3(isapnp) - User select action: Cure
2010/11/15 09:35:10.0406 Deinitialize success


OTL logfile created on: 11/16/2010 3:02:14 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\laptop\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 56.55 Gb Free Space | 75.95% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.86 Gb Total Space | 0.14 Gb Free Space | 7.76% Space Free | Partition Type: FAT

Computer Name: HOME | User Name: laptop | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\laptop\Desktop\OTL.scr (OldTimer Tools)
PRC - C:\Program Files\Fortinet\FortiClient\FortiTray.exe (Fortinet Inc.)
PRC - C:\Program Files\Fortinet\FortiClient\fcappdb.exe (Fortinet Inc.)
PRC - C:\Program Files\Fortinet\FortiClient\FortiProxy.exe (Fortinet Inc.)
PRC - C:\Program Files\Fortinet\FortiClient\FCDBLog.exe (Fortinet Inc.)
PRC - C:\Program Files\Fortinet\FortiClient\scheduler.exe (Fortinet Inc.)
PRC - C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe (Logitech Inc.)
PRC - C:\Documents and Settings\laptop\Application Data\U3\34853211B3D2AD31\LaunchPad.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\lxcycoms.exe ( )
PRC - C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\laptop\Desktop\OTL.scr (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll (Logitech Inc.)


========== Win32 Services (SafeList) ==========

SRV - (KodakCCS) -- C:\WINDOWS\System32\drivers\KodakCCS.exe File not found
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (SmileyCentralIE_1wService) -- C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wbarsvc.exe (SmileyCentral)
SRV - (FA_Scheduler) -- C:\Program Files\Fortinet\FortiClient\scheduler.exe (Fortinet Inc.)
SRV - (CLEARWIRERcAppSvc) -- C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe (SmithMicro Inc.)
SRV - (SMSI Device Launch Service) -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (LVCOMSer) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (Logitech Inc.)
SRV - (lxcy_device) -- C:\WINDOWS\System32\lxcycoms.exe ( )
SRV - (STacSV) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe (SigmaTel, Inc.)


========== Driver Services (SafeList) ==========

DRV - (vsdatant) -- C:\WINDOWS\System32\vsdatant.sys File not found
DRV - (SASKUTIL) -- C:\DOCUME~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS File not found
DRV - (SASDIFSV) -- C:\DOCUME~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS File not found
DRV - (cpuz132) -- C:\DOCUME~1\laptop\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (FortiShield) -- C:\WINDOWS\system32\drivers\FortiShield.sys (Fortinet Inc)
DRV - (Fortips) -- C:\WINDOWS\system32\drivers\fortips.sys (Fortinet Inc)
DRV - (FortiRdr) -- C:\WINDOWS\system32\drivers\FortiRdr.sys (Fortinet Inc)
DRV - (fortiapd) -- C:\WINDOWS\system32\drivers\fortiapd.sys (Fortinet Inc)
DRV - (Fortidrv2) -- C:\WINDOWS\system32\drivers\fortidrv.sys (Fortinet Inc)
DRV - (PCTINDIS5) -- C:\WINDOWS\system32\PCTINDIS5.sys (Smith Micro Inc.)
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (tcpipBM) -- C:\WINDOWS\System32\drivers\tcpipBM.sys (Bytemobile, Inc.)
DRV - (ft_vnic) -- C:\WINDOWS\system32\drivers\ftvnic.sys (Fortinet Inc.)
DRV - (ATMFVsp) -- C:\WINDOWS\system32\drivers\ATMFVsp.sys (DEVGURU Co., LTD.)
DRV - (ATMFNET) -- C:\WINDOWS\system32\drivers\ATMFNET.sys (DEVGURU Co., LTD.)
DRV - (ATMFNVsp) -- C:\WINDOWS\system32\drivers\ATMFNVsp.sys (DEVGURU Co., LTD.)
DRV - (ATMFCVsp) -- C:\WINDOWS\system32\drivers\ATMFCVsp.sys (DEVGURU Co., LTD.)
DRV - (ATMFMdm) -- C:\WINDOWS\system32\drivers\ATMFMdm.sys (DEVGURU Co., LTD.)
DRV - (ATMFBUS) -- C:\WINDOWS\system32\drivers\ATMFBUS.sys (DEVGURU Co., LTD.)
DRV - (ATMFFLT) -- C:\WINDOWS\system32\drivers\ATMFFLT.sys (DEVGURU Co., LTD.)
DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (LVUSBSta) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (PID_PEPI) Logitech QuickCam IM(PID_PEPI) -- C:\WINDOWS\system32\drivers\LV302V32.SYS (Logitech Inc.)
DRV - (LVPr2Mon) -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys ()
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (uts_mdm) -- C:\WINDOWS\system32\drivers\uts_mdm.sys (MCCI)
DRV - (uts_serd) UTStarcom USB Diagnostic Serial Port (WDM) -- C:\WINDOWS\system32\drivers\uts_serd.sys (MCCI)
DRV - (uts_bus) UTStarcom USB Composite Device driver (WDM) -- C:\WINDOWS\system32\drivers\uts_bus.sys (MCCI)
DRV - (uts_mdfl) -- C:\WINDOWS\system32\drivers\uts_mdfl.sys (MCCI Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (motmodem) -- C:\WINDOWS\system32\drivers\motmodem.sys (Motorola)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://everythingy.com/ie/home
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {339a0dff-d9af-439b-92bc-636220fb3dae} - C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wSrcAs.dll (SmileyCentral)
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\extensions\\ff-bmboc@bytemobile.com: C:\Program Files\Cricket\Cricket Broadband\addon\ [2009/11/08 16:16:38 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/11/16 10:27:05 | 000,425,428 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14658 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (SmileyCentral) - {d3ca5551-fc2e-4d09-8ece-263607acf9fc} - C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wbar.dll (SmileyCentral)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (SmileyCentral) - {D3CA5551-FC2E-4D09-8ECE-263607ACF9FC} - C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wbar.dll (SmileyCentral)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Clearwire Connection Manager] C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe (ClearwireCM)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\RunOnceEx: [] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk.disabled ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (c:\windows\system32\nokoteja.dll) - C:\WINDOWS\System32\nokoteja.dll File not found
O20 - AppInit_DLLs: (zivorode.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\jeduyohe.dll) - C:\WINDOWS\System32\jeduyohe.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\putabese.dll) - C:\WINDOWS\System32\putabese.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\mureleni.dll) - C:\WINDOWS\System32\mureleni.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O21 - SSODL: lutuvegaf - {8351286a-6a17-498c-97dd-ef5d9092cbcb} - C:\WINDOWS\System32\nokoteja.dll File not found
O21 - SSODL: reyurihit - {ea0379f1-4ca8-4f92-8c10-62a5d7b55ec3} - C:\WINDOWS\System32\mureleni.dll File not found
O22 - SharedTaskScheduler: {8351286a-6a17-498c-97dd-ef5d9092cbcb} - kupuhivus - C:\WINDOWS\System32\nokoteja.dll File not found
O22 - SharedTaskScheduler: {ea0379f1-4ca8-4f92-8c10-62a5d7b55ec3} - mujuzedij - C:\WINDOWS\System32\mureleni.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\laptop\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\laptop\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/30 15:37:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 06:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{518157fd-cb41-11de-abea-001d09b1ddb0}\Shell - "" = AutoRun
O33 - MountPoints2\{518157fd-cb41-11de-abea-001d09b1ddb0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{518157fd-cb41-11de-abea-001d09b1ddb0}\Shell\AutoRun\command - "" = E:\start.exe -- File not found
O33 - MountPoints2\{5428c1ae-806a-11df-ac1f-001e8c560822}\Shell\AutoRun\command - "" = E:\Window~1\Setup.exe -- File not found
O33 - MountPoints2\{5428c1b0-806a-11df-ac1f-001e8c560822}\Shell\AutoRun\command - "" = E:\Window~1\Setup.exe -- File not found
O33 - MountPoints2\{6303f434-eb22-11de-abf0-001d09b1ddb0}\Shell - "" = AutoRun
O33 - MountPoints2\{6303f434-eb22-11de-abf0-001d09b1ddb0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6303f434-eb22-11de-abf0-001d09b1ddb0}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- [2007/10/23 01:45:39 | 001,336,632 | R--- | M] ()
O33 - MountPoints2\{f69a1bda-ede0-11df-ac3e-928808cc5866}\Shell - "" = AutoRun
O33 - MountPoints2\{f69a1bda-ede0-11df-ac3e-928808cc5866}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f69a1bda-ede0-11df-ac3e-928808cc5866}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- [2007/10/23 01:45:39 | 001,336,632 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56027131116781568)

========== Files/Folders - Created Within 30 Days ==========

[2010/11/16 14:59:51 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\laptop\Desktop\OTL.scr
[2010/11/16 10:18:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\laptop\Desktop\asrasdf
[2010/11/16 10:17:45 | 000,719,574 | ---- | C] (UG North ) -- C:\Documents and Settings\laptop\Desktop\RkU3.8.388.590.exe
[2010/11/15 09:33:16 | 001,330,776 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\laptop\Desktop\tdsskiller.exe
[2010/11/12 14:50:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\laptop\Desktop\gmer
[2010/11/12 13:45:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/12 13:45:17 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/12 13:45:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/11 16:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\laptop\Application Data\SUPERAntiSpyware.com
[2010/11/11 16:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/10/28 17:37:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\laptop\Local Settings\Application Data\Deployment
[2010/09/22 23:32:14 | 001,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyserv.dll
[2010/09/22 23:32:14 | 000,995,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyusb1.dll
[2010/09/22 23:32:14 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyhbn3.dll
[2010/09/22 23:32:14 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcypmui.dll
[2010/09/22 23:32:14 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcylmpm.dll
[2010/09/22 23:32:14 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyinpa.dll
[2010/09/22 23:32:14 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyiesc.dll
[2010/09/22 23:32:14 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyhcp.dll
[2010/09/22 23:32:14 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyprox.dll
[2010/09/22 23:32:14 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcypplc.dll
[2010/09/22 23:32:13 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcycomc.dll
[2010/09/22 23:32:13 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcycomm.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/16 15:03:31 | 000,432,594 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/16 15:03:30 | 000,067,510 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/16 15:01:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/11/16 14:59:14 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/16 14:59:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/11/16 14:58:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/16 14:55:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\laptop\Desktop\OTL.scr
[2010/11/16 13:23:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/16 12:41:07 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/11/16 12:01:03 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/11/16 12:01:03 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/11/16 12:01:03 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/11/16 10:27:05 | 000,425,428 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/16 08:38:33 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/11/15 09:43:06 | 011,802,408 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\SAS_404E.COM
[2010/11/15 09:37:47 | 000,943,104 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/11/15 09:37:46 | 000,745,472 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/11/15 09:29:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/11/15 09:29:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/15 09:27:22 | 001,330,776 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\laptop\Desktop\tdsskiller.exe
[2010/11/12 14:43:06 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\gmer.zip
[2010/11/12 14:42:18 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\dds.scr
[2010/11/12 13:58:24 | 000,000,720 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/11/11 16:39:16 | 000,000,335 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\FixExe.reg
[2010/11/11 16:36:14 | 000,364,032 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\iExplore.exe
[2010/11/11 16:30:16 | 000,000,228 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\shell.reg
[2010/11/08 11:12:48 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/11/04 21:33:05 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\laptop\Application Data\start
[2010/11/04 21:15:16 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\laptop\Application Data\completescan
[2010/11/04 20:06:38 | 000,000,010 | ---- | M] () -- C:\Documents and Settings\laptop\Application Data\install
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/11/04 20:05:59 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/11/04 20:05:59 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/11/04 20:05:59 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/11/04 20:05:59 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/10/28 20:02:58 | 000,001,838 | -H-- | M] () -- C:\Documents and Settings\laptop\My Documents\Default.rdp
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/15 12:55:02 | 011,802,408 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\SAS_404E.COM
[2010/11/12 14:50:26 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\gmer.zip
[2010/11/12 14:47:37 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\dds.scr
[2010/11/12 13:51:07 | 000,364,032 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\iExplore.exe
[2010/11/12 13:45:21 | 000,000,720 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/12 08:44:56 | 000,000,335 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\FixExe.reg
[2010/11/11 16:47:35 | 000,000,228 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\shell.reg
[2010/11/04 20:49:00 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\laptop\Application Data\start
[2010/11/04 20:11:08 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\laptop\Application Data\completescan
[2010/11/04 20:06:38 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\laptop\Application Data\install
[2010/11/04 20:06:02 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/11/04 20:06:01 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/11/04 20:06:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/11/04 20:05:58 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/11/04 20:05:58 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/11/04 20:05:58 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/11/04 20:05:58 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/09/22 23:33:02 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcyvs.dll
[2010/09/22 23:33:00 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxcycoin.dll
[2010/09/22 23:32:37 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxcydrs.dll
[2010/09/22 23:32:37 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxcycaps.dll
[2010/09/22 23:32:36 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxcycnv4.dll
[2010/09/22 23:32:14 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\lxcyinst.dll
[2010/08/25 17:24:31 | 000,004,990 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
[2010/01/25 10:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2009/12/17 11:44:13 | 000,000,264 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/07/07 08:16:27 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\laptop\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/30 15:48:53 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/12/30 15:48:52 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/12/30 09:26:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/26 13:42:52 | 000,066,482 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/07/26 07:25:02 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2005/02/10 12:17:50 | 000,172,056 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2000/09/08 16:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll

========== LOP Check ==========

[2010/02/13 08:31:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2010/06/29 13:02:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Clearwire
[2010/08/23 17:18:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Driver Mender
[2010/08/23 12:19:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Driver Whiz
[2010/04/20 01:11:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2009/09/26 14:50:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nrs
[2010/08/25 17:24:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\laptop\Application Data\Carambis
[2010/06/29 13:03:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\laptop\Application Data\Clearwire
[2009/11/08 16:18:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\laptop\Application Data\Cricket
[2009/05/18 21:46:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\laptop\Application Data\Leadertech
[2009/08/08 23:21:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\laptop\Application Data\Smith Micro
[2010/04/09 17:11:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\laptop\Application Data\TeamViewer
[2010/11/04 20:05:59 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010/11/16 14:59:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010/11/16 12:01:03 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010/11/16 12:01:03 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010/11/16 12:41:07 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010/11/15 09:29:43 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010/11/04 20:05:59 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010/11/12 08:40:23 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010/11/08 11:12:48 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010/11/04 20:05:59 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010/11/04 20:05:59 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010/11/16 12:01:03 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010/11/16 08:38:33 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010/11/04 20:06:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job
[2010/11/16 15:01:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/12/18 09:49:21 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/12/18 09:49:21 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 04:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/12/18 09:49:21 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/12/18 09:49:21 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 04:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 04:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/07/12 15:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 12:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll
[2004/08/04 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/10/18 16:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\nvata.sys

< MD5 for: NVATABUS.SYS >
[2006/10/18 15:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 04:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2007/02/09 21:06:00 | 000,100,096 | ---- | M] (LSI Logic) MD5=A42F863305943869BA00A613C8EE8C7E -- C:\WINDOWS\dell\symmpi\symmpi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< End of report >


OTL Extras logfile created on: 11/16/2010 3:02:14 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\laptop\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 56.55 Gb Free Space | 75.95% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.86 Gb Total Space | 0.14 Gb Free Space | 7.76% Space Free | Partition Type: FAT

Computer Name: HOME | User Name: laptop | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Comodo\LaunchPad\CLPTray.exe" = C:\Program Files\Comodo\LaunchPad\CLPTray.exe:*:Enabled:CLPTray -- File not found
"C:\Program Files\Logitech\QuickCam\Quickcam.exe" = C:\Program Files\Logitech\QuickCam\Quickcam.exe:*:Enabled:Quickcam -- ()
"C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe" = C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe:*:Enabled:YahooAUService -- (Yahoo! Inc.)
"C:\Program Files\Comodo\Comodo AntiVirus\CavAUD.exe" = C:\Program Files\Comodo\Comodo AntiVirus\CavAUD.exe:*:Enabled:Cavaud -- File not found
"C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe" = C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe:*:Enabled:LVPrcSrv -- (Logitech Inc.)
"C:\Program Files\Fortinet\FortiClient\FortiProxy.exe" = C:\Program Files\Fortinet\FortiClient\FortiProxy.exe:*:Enabled:FortiClient Proxy Service -- (Fortinet Inc.)
"C:\Program Files\Fortinet\FortiClient\ipsec.exe" = C:\Program Files\Fortinet\FortiClient\ipsec.exe:*:Enabled:FortiClient VPN Service -- (Fortinet Inc.)
"C:\Documents and Settings\laptop\temp\TeamViewer\Version5\TeamViewer.exe" = C:\Documents and Settings\laptop\temp\TeamViewer\Version5\TeamViewer.exe:*:Enabled:TeamViewer -- (TeamViewer GmbH)
"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe:*:Disabled:GoogleToolbarNotifier -- (Google Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- ()
"C:\WINDOWS\system32\lxcycoms.exe" = C:\WINDOWS\system32\lxcycoms.exe:*:Enabled:3400 Series Server -- ( )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{077AA014-B568-4FF8-B360-9ACE1A1F4571}" = CLEAR Connection Manager
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{154508C0-07C5-4659-A7A0-E49968750D21}" = HLPPDOCK
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2764CA82-DFB9-4498-AF85-719340BF5305}" = Dell Resource CD
"{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"{34D6AD5A-C03D-45FF-AA8A-8B306E01B96D}" = FortiClient Endpoint Security
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{38441BE7-79B0-42B8-8297-833704F949FE}" = HLPIndex
"{3AF8FCCD-F51A-4014-9002-F195E1CBC876}" = Logitech QuickCam
"{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK
"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2
"{48C82F7A-F100-4DAB-A310-8E18BF2159E1}" = ESSvpot
"{4F677FC7-7AA8-412B-A957-F13CBE1C7331}" = ESSSONIC
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{54C8FE84-89C4-40E8-976C-439EB0729BD6}" = CardRd81
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}" = ESSCT
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{9DBCF56A-CDF0-41bf-BE0F-E00A88B18F56}" = Cricket EVDO Modem
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}" = ESSvpaht
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADAC983-FDE9-42FA-8FD9-7BB324155593}" = HLPRFO
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B6FE57E6-E454-4F2A-94A0-87707FE190EF}" = Cricket Broadband
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CA60320D-6A16-49C8-A34F-84EEF4799567}" = ESSTUTOR
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1" = Rootkit Unhooker LE 3.8 SR 2
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FDF9943A-3D5C-46B3-9679-586BD237DDEE}" = SKIN0001
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"Google Chrome" = Google Chrome
"ie8" = Windows Internet Explorer 8
"InstallShield_{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"InstallShield_{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"InstallShield_{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"InstallShield_{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"Lexmark 3400 Series" = Lexmark 3400 Series
"Loki ActiveX Control" = Loki ActiveX Control
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"QuickLink Mobile" = QuickLink Mobile
"QuickTime" = QuickTime
"SmileyCentralIE_1wbar Uninstall" = SmileyCentral
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"UTStarcom USB Modem" = UTStarcom USB Modem Software
"VLC media player" = VLC media player 1.0.3
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/17/2010 7:17:05 AM | Computer Name = HOME | Source = Google Update | ID = 20
Description =

Error - 10/17/2010 8:17:05 AM | Computer Name = HOME | Source = Google Update | ID = 20
Description =

Error - 10/17/2010 9:17:05 AM | Computer Name = HOME | Source = Google Update | ID = 20
Description =

Error - 11/4/2010 11:06:07 PM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.6024, faulting
module unknown, version 0.0.0.0, fault address 0x001a1e31.

Error - 11/4/2010 11:22:16 PM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.6024, faulting
module unknown, version 0.0.0.0, fault address 0x001a5f7a.

Error - 11/5/2010 7:40:52 AM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.6024, faulting
module unknown, version 0.0.0.0, fault address 0x002b5f7a.

Error - 11/11/2010 6:32:19 PM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.6024, faulting
module unknown, version 0.0.0.0, fault address 0x001a5f7a.

Error - 11/12/2010 11:13:43 AM | Computer Name = HOME | Source = MBAMService | ID = 131073
Description =

Error - 11/15/2010 11:31:52 AM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/15/2010 3:17:46 PM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15530, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/16/2010 2:41:27 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 11/16/2010 3:58:14 PM | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 11/16/2010 3:58:23 PM | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/16/2010 3:58:56 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 11/16/2010 3:58:56 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 11/16/2010 3:58:56 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 11/16/2010 3:58:56 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 11/16/2010 3:58:56 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SASDIFSV SASKUTIL Tcpip tcpipBM WS2IFSL

Error - 11/16/2010 4:57:58 PM | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/16/2010 4:59:23 PM | Computer Name = HOME | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL


< End of report >

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:26 AM

Posted 16 November 2010 - 05:08 PM

Hi jdickherber,

Ok, let's get to work.

Step 1
Double click on OTL.exe to run it.
Copy the lines in bold below. (make sure that :Otl is on the first line )

:Otl
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://everythingy.com/ie/home
IE - HKCU\..\URLSearchHook: {339a0dff-d9af-439b-92bc-636220fb3dae} - C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wSrcAs.dll (SmileyCentral)
O3 - HKLM\..\Toolbar: (SmileyCentral) - {d3ca5551-fc2e-4d09-8ece-263607acf9fc} - C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wbar.dll (SmileyCentral)
O3 - HKCU\..\Toolbar\WebBrowser: (SmileyCentral) - {D3CA5551-FC2E-4D09-8ECE-263607ACF9FC} - C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wbar.dll (SmileyCentral)
O4 - HKLM..\RunOnceEx: [] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk.disabled ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk.disabled ()
O20 - AppInit_DLLs: (c:\windows\system32\nokoteja.dll) - C:\WINDOWS\System32\nokoteja.dll File not found
O20 - AppInit_DLLs: (zivorode.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\jeduyohe.dll) - C:\WINDOWS\System32\jeduyohe.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\putabese.dll) - C:\WINDOWS\System32\putabese.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\mureleni.dll) - C:\WINDOWS\System32\mureleni.dll File not found
O21 - SSODL: lutuvegaf - {8351286a-6a17-498c-97dd-ef5d9092cbcb} - C:\WINDOWS\System32\nokoteja.dll File not found
O21 - SSODL: reyurihit - {ea0379f1-4ca8-4f92-8c10-62a5d7b55ec3} - C:\WINDOWS\System32\mureleni.dll File not found
O22 - SharedTaskScheduler: {8351286a-6a17-498c-97dd-ef5d9092cbcb} - kupuhivus - C:\WINDOWS\System32\nokoteja.dll File not found
O22 - SharedTaskScheduler: {ea0379f1-4ca8-4f92-8c10-62a5d7b55ec3} - mujuzedij - C:\WINDOWS\System32\mureleni.dll File not found
O33 - MountPoints2\{518157fd-cb41-11de-abea-001d09b1ddb0}\Shell - "" = AutoRun
O33 - MountPoints2\{518157fd-cb41-11de-abea-001d09b1ddb0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{518157fd-cb41-11de-abea-001d09b1ddb0}\Shell\AutoRun\command - "" = E:\start.exe -- File not found
O33 - MountPoints2\{5428c1ae-806a-11df-ac1f-001e8c560822}\Shell\AutoRun\command - "" = E:\Window~1\Setup.exe -- File not found
O33 - MountPoints2\{5428c1b0-806a-11df-ac1f-001e8c560822}\Shell\AutoRun\command - "" = E:\Window~1\Setup.exe -- File not found
O33 - MountPoints2\{6303f434-eb22-11de-abf0-001d09b1ddb0}\Shell - "" = AutoRun
O33 - MountPoints2\{6303f434-eb22-11de-abf0-001d09b1ddb0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6303f434-eb22-11de-abf0-001d09b1ddb0}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- [2007/10/23 01:45:39 | 001,336,632 | R--- | M] ()
O33 - MountPoints2\{f69a1bda-ede0-11df-ac3e-928808cc5866}\Shell - "" = AutoRun
O33 - MountPoints2\{f69a1bda-ede0-11df-ac3e-928808cc5866}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f69a1bda-ede0-11df-ac3e-928808cc5866}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- [2007/10/23 01:45:39 | 001,336,632 | R--- | M] ()

:Files
C:\WINDOWS\tasks\At*.job

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]


  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

    Posted Image
  • Click the red Run Fix button.

    Posted Image
  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Step 2
You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:
Install one of these, update the definitions and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Note*:
Upon installation MS Security Essentials will check that your OS is a legal copy.

Step 3
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Posted Image


Posted Image

This is an example, you may rename ComboFix to anything you want.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:

    Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    If running Vista, you may not see this screen
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please submit:
OTL fix report
Combofix.txt


Thanks.

BBPP6nz.png


#5 jdickherber

jdickherber
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 17 November 2010 - 10:03 AM

Hi,

The logs you requested are below. AVG was installed on this laptop, but it was obviously not doing its job. I uninstalled it and planned on installing another anti-virus after the rootkit was removed. I installed Avira which removed a few objects (log attached). It looks like OTL and ComboFix removed a few things.

I do plan on installing all windows updates, removing old Java/Adobe versions and installing the latest, and scanning with Secunia.

Please let me know if everything looks clean now.

Thanks!!

All processes killed
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL| /E : value set successfully!
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{339a0dff-d9af-439b-92bc-636220fb3dae} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339a0dff-d9af-439b-92bc-636220fb3dae}\ deleted successfully.
C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wSrcAs.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{d3ca5551-fc2e-4d09-8ece-263607acf9fc} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d3ca5551-fc2e-4d09-8ece-263607acf9fc}\ deleted successfully.
C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wbar.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D3CA5551-FC2E-4D09-8ECE-263607ACF9FC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3CA5551-FC2E-4D09-8ECE-263607ACF9FC}\ not found.
File C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wbar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\ deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled moved successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk.disabled moved successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk.disabled moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\nokoteja.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:zivorode.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\jeduyohe.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\putabese.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\mureleni.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\lutuvegaf deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8351286a-6a17-498c-97dd-ef5d9092cbcb}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\reyurihit deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ea0379f1-4ca8-4f92-8c10-62a5d7b55ec3}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{8351286a-6a17-498c-97dd-ef5d9092cbcb} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8351286a-6a17-498c-97dd-ef5d9092cbcb}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{ea0379f1-4ca8-4f92-8c10-62a5d7b55ec3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ea0379f1-4ca8-4f92-8c10-62a5d7b55ec3}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{518157fd-cb41-11de-abea-001d09b1ddb0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{518157fd-cb41-11de-abea-001d09b1ddb0}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{518157fd-cb41-11de-abea-001d09b1ddb0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{518157fd-cb41-11de-abea-001d09b1ddb0}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{518157fd-cb41-11de-abea-001d09b1ddb0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{518157fd-cb41-11de-abea-001d09b1ddb0}\ not found.
File E:\start.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5428c1ae-806a-11df-ac1f-001e8c560822}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5428c1ae-806a-11df-ac1f-001e8c560822}\ not found.
File E:\Window~1\Setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5428c1b0-806a-11df-ac1f-001e8c560822}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5428c1b0-806a-11df-ac1f-001e8c560822}\ not found.
File E:\Window~1\Setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6303f434-eb22-11de-abf0-001d09b1ddb0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6303f434-eb22-11de-abf0-001d09b1ddb0}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6303f434-eb22-11de-abf0-001d09b1ddb0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6303f434-eb22-11de-abf0-001d09b1ddb0}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6303f434-eb22-11de-abf0-001d09b1ddb0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6303f434-eb22-11de-abf0-001d09b1ddb0}\ not found.
File move failed. E:\LaunchU3.exe scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f69a1bda-ede0-11df-ac3e-928808cc5866}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f69a1bda-ede0-11df-ac3e-928808cc5866}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f69a1bda-ede0-11df-ac3e-928808cc5866}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f69a1bda-ede0-11df-ac3e-928808cc5866}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f69a1bda-ede0-11df-ac3e-928808cc5866}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f69a1bda-ede0-11df-ac3e-928808cc5866}\ not found.
File move failed. E:\LaunchU3.exe scheduled to be moved on reboot.
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 394914 bytes
->Temporary Internet Files folder emptied: 66551 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: laptop
->Temp folder emptied: 2876149 bytes
->Temporary Internet Files folder emptied: 34093570 bytes
->Java cache emptied: 31443 bytes
->Google Chrome cache emptied: 6234537 bytes
->Flash cache emptied: 15508 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 207185 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 3950609 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 144139 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 92394718 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 4932 bytes

Total Files Cleaned = 136.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: laptop
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 11162010_161236

Files\Folders moved on Reboot...
File move failed. E:\LaunchU3.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\logishrd\LVPrcInj01.dll scheduled to be moved on reboot.

Registry entries deleted on Reboot...


ComboFix 10-11-16.02 - laptop 11/17/2010 8:45.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1241 [GMT -6:00]
Running from: c:\documents and settings\laptop\Desktop\aaa.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\laptop\Application Data\completescan
c:\documents and settings\laptop\Application Data\install
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))
.

2010-11-16 22:27 . 2010-11-16 23:25 -------- d-----w- c:\windows\system32\NtmsData
2010-11-16 22:25 . 2010-11-16 22:25 -------- d-----w- c:\documents and settings\laptop\Application Data\Avira
2010-11-16 22:22 . 2010-08-02 22:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-16 22:22 . 2010-08-02 22:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-16 22:22 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-16 22:22 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-16 22:22 . 2010-11-16 22:22 -------- d-----w- c:\program files\Avira
2010-11-16 22:22 . 2010-11-16 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-11-16 22:12 . 2010-11-16 22:12 -------- d-----w- C:\_OTL
2010-11-16 22:00 . 2010-11-16 22:00 -------- d-----w- c:\program files\ESET
2010-11-16 18:40 . 2010-11-16 18:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-11-12 19:45 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-12 19:45 . 2010-11-12 20:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-12 19:45 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-11 22:43 . 2010-11-11 22:43 -------- d-----w- c:\documents and settings\laptop\Application Data\SUPERAntiSpyware.com
2010-11-11 22:43 . 2010-11-11 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-08 18:50 . 2010-11-08 18:51 -------- d-----w- c:\documents and settings\Administrator
2010-10-28 23:37 . 2010-10-28 23:37 -------- d-----w- c:\documents and settings\laptop\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-15 15:36 . 2004-08-04 10:00 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 10:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 10:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 10:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-05-19 02:38 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 10:00 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-19 148888]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"Clearwire Connection Manager"="c:\program files\Clearwire\Connection Manager\ClearwireCM.exe" [2009-12-01 54608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe"
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe"
"LXCYCATS"=rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SmileyCentralIE_1w Browser Plugin Loader"=c:\progra~1\SMILEY~2\bar\1.bin\1wbrmon.exe
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Logitech\\QuickCam\\Quickcam.exe"=
"c:\\Program Files\\Yahoo!\\SoftwareUpdate\\YahooAUService.exe"=
"c:\\Program Files\\Common Files\\logishrd\\LVMVFM\\LVPrcSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\ipsec.exe"=
"c:\\Documents and Settings\\laptop\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=

R1 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys [2/26/2010 10:10 AM 13416]
R1 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2/26/2010 10:10 AM 98024]
R1 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [2/26/2010 10:10 AM 29928]
R1 FortiShield;FortiShield;c:\windows\system32\drivers\FortiShield.sys [2/26/2010 10:10 AM 37480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/16/2010 4:22 PM 135336]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\Clearwire\Connection Manager\DeviceLaunchSvc.exe [11/9/2009 11:00 AM 107856]
R3 Fortidrv2;Fortinet Packet Filter Service;c:\windows\system32\drivers\fortidrv.sys [1/4/2010 10:35 AM 22504]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate1ca18bc1c29e48a;Google Update Service (gupdate1ca18bc1c29e48a);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2009 12:39 AM 133104]
S2 SmileyCentralIE_1wService;SmileyCentral Service;c:\progra~1\SMILEY~2\bar\1.bin\1wbarsvc.exe [10/3/2010 12:45 AM 28766]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\ATMFBUS.sys [11/8/2009 4:16 PM 38528]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\ATMFCVsp.sys [11/8/2009 4:16 PM 54656]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\ATMFFLT.sys [11/8/2009 4:16 PM 11520]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\ATMFMdm.sys [11/8/2009 4:16 PM 54528]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\ATMFNET.sys [11/8/2009 4:16 PM 103424]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\ATMFNVsp.sys [11/8/2009 4:16 PM 54656]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\ATMFVsp.sys [11/8/2009 4:16 PM 54656]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\Clearwire\Connection Manager\RcAppSvc.exe [11/9/2009 11:02 AM 120144]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [4/14/2010 9:53 AM 14496]
S3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\drivers\uts_bus.sys [8/8/2009 11:20 PM 84352]
S3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\drivers\uts_mdfl.sys [8/8/2009 11:20 PM 14976]
S3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\drivers\uts_mdm.sys [8/8/2009 11:20 PM 110848]
S3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\uts_serd.sys [8/8/2009 11:20 PM 90880]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV
*Deregistered* - BMLoad
.
Contents of the 'Scheduled Tasks' folder

2010-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 06:38]

2010-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-09 06:38]

2010-11-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
Trusted Zone: eset.com\www
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - (no file)
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-17 08:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(6156)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Fortinet\FortiClient\scheduler.exe
c:\program files\Fortinet\FortiClient\FCDBLog.exe
c:\program files\Fortinet\FortiClient\fcappdb.exe
c:\program files\Fortinet\FortiClient\FortiProxy.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxcycoms.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Fortinet\FortiClient\FortiTray.exe
c:\windows\stsystra.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\progra~1\Fortinet\FORTIC~1\FORTIS~1.EXE
.
**************************************************************************
.
Completion time: 2010-11-17 08:55:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-17 14:55

Pre-Run: 60,420,890,624 bytes free
Post-Run: 60,285,423,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A9B9B955A29FB02556F345027DA5A95F

Attached Files



#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:26 AM

Posted 17 November 2010 - 10:22 AM

Hi jdickherber,

Things look a bit better now.

Step 1
I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Click Posted Image, and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the Posted Image button.
  • Click Posted Image
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Step 2
Double click on OTL.exe to run it.
  • Under Extra Registry section, select Use SafeList.
  • Don't check the boxes beside 'LOP Check' and 'Purity Check' this time.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply.

In your next reply, please submit:
Eset scan report
both reports from OTL


Thanks.

BBPP6nz.png


#7 jdickherber

jdickherber
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 17 November 2010 - 02:59 PM

Hello,

Here are the logs you requested. The ESET Scan seemed to get stuck after 2 hours; I had to temporarily disable Avira AntiVir Guard, and then it completed. I've re-enabled Avira.

C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wdatact.dll a variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting - quarantined
C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1whtml.dll probably a variant of Win32/Toolbar.MyWebSearch.F application cleaned by deleting - quarantined
C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1whtmlmu.dll probably a variant of Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{63FAE389-3FCE-4F55-954A-1B45367BA2A4}\RP27\A0000867.dll a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{63FAE389-3FCE-4F55-954A-1B45367BA2A4}\RP48\A0009082.dll a variant of Win32/Toolbar.MyWebSearch.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{63FAE389-3FCE-4F55-954A-1B45367BA2A4}\RP48\A0009083.dll probably a variant of Win32/Toolbar.MyWebSearch.F application cleaned by deleting - quarantined
C:\System Volume Information\_restore{63FAE389-3FCE-4F55-954A-1B45367BA2A4}\RP48\A0009084.dll probably a variant of Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DZ trojan cleaned by deleting - quarantined

OTL logfile created on: 11/17/2010 1:36:55 PM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\laptop\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 55.23 Gb Free Space | 74.17% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.86 Gb Total Space | 0.05 Gb Free Space | 2.55% Space Free | Partition Type: FAT

Computer Name: HOME | User Name: laptop | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\laptop\Desktop\OTL.scr (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Fortinet\FortiClient\FortiTray.exe (Fortinet Inc.)
PRC - C:\Program Files\Fortinet\FortiClient\fcappdb.exe (Fortinet Inc.)
PRC - C:\Program Files\Fortinet\FortiClient\FortiProxy.exe (Fortinet Inc.)
PRC - C:\Program Files\Fortinet\FortiClient\FCDBLog.exe (Fortinet Inc.)
PRC - C:\Program Files\Fortinet\FortiClient\scheduler.exe (Fortinet Inc.)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe (Logitech Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\lxcycoms.exe ( )
PRC - C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\laptop\Desktop\OTL.scr (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll (Logitech Inc.)


========== Win32 Services (SafeList) ==========

SRV - (KodakCCS) -- C:\WINDOWS\System32\drivers\KodakCCS.exe File not found
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (SmileyCentralIE_1wService) -- C:\Program Files\SmileyCentralIE_1w\bar\1.bin\1wbarsvc.exe (SmileyCentral)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (Microsoft Corporation)
SRV - (WPFFontCache_v0400) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
SRV - (FA_Scheduler) -- C:\Program Files\Fortinet\FortiClient\scheduler.exe (Fortinet Inc.)
SRV - (CLEARWIRERcAppSvc) -- C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe (SmithMicro Inc.)
SRV - (SMSI Device Launch Service) -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (LVCOMSer) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (Logitech Inc.)
SRV - (lxcy_device) -- C:\WINDOWS\System32\lxcycoms.exe ( )
SRV - (STacSV) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe (SigmaTel, Inc.)


========== Driver Services (SafeList) ==========

DRV - (vsdatant) -- C:\WINDOWS\System32\vsdatant.sys File not found
DRV - (SASKUTIL) -- C:\DOCUME~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS File not found
DRV - (SASDIFSV) -- C:\DOCUME~1\laptop\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS File not found
DRV - (cpuz132) -- C:\DOCUME~1\laptop\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (catchme) -- C:\DOCUME~1\laptop\LOCALS~1\Temp\catchme.sys File not found
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (FortiShield) -- C:\WINDOWS\system32\drivers\FortiShield.sys (Fortinet Inc)
DRV - (Fortips) -- C:\WINDOWS\system32\drivers\fortips.sys (Fortinet Inc)
DRV - (FortiRdr) -- C:\WINDOWS\system32\drivers\FortiRdr.sys (Fortinet Inc)
DRV - (fortiapd) -- C:\WINDOWS\system32\drivers\fortiapd.sys (Fortinet Inc)
DRV - (Fortidrv2) -- C:\WINDOWS\system32\drivers\fortidrv.sys (Fortinet Inc)
DRV - (PCTINDIS5) -- C:\WINDOWS\system32\PCTINDIS5.sys (Smith Micro Inc.)
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (tcpipBM) -- C:\WINDOWS\System32\drivers\tcpipBM.sys (Bytemobile, Inc.)
DRV - (ft_vnic) -- C:\WINDOWS\system32\drivers\ftvnic.sys (Fortinet Inc.)
DRV - (ATMFVsp) -- C:\WINDOWS\system32\drivers\ATMFVsp.sys (DEVGURU Co., LTD.)
DRV - (ATMFNET) -- C:\WINDOWS\system32\drivers\ATMFNET.sys (DEVGURU Co., LTD.)
DRV - (ATMFNVsp) -- C:\WINDOWS\system32\drivers\ATMFNVsp.sys (DEVGURU Co., LTD.)
DRV - (ATMFCVsp) -- C:\WINDOWS\system32\drivers\ATMFCVsp.sys (DEVGURU Co., LTD.)
DRV - (ATMFMdm) -- C:\WINDOWS\system32\drivers\ATMFMdm.sys (DEVGURU Co., LTD.)
DRV - (ATMFBUS) -- C:\WINDOWS\system32\drivers\ATMFBUS.sys (DEVGURU Co., LTD.)
DRV - (ATMFFLT) -- C:\WINDOWS\system32\drivers\ATMFFLT.sys (DEVGURU Co., LTD.)
DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (LVUSBSta) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (PID_PEPI) Logitech QuickCam IM(PID_PEPI) -- C:\WINDOWS\system32\drivers\LV302V32.SYS (Logitech Inc.)
DRV - (LVPr2Mon) -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys ()
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (uts_mdm) -- C:\WINDOWS\system32\drivers\uts_mdm.sys (MCCI)
DRV - (uts_serd) UTStarcom USB Diagnostic Serial Port (WDM) -- C:\WINDOWS\system32\drivers\uts_serd.sys (MCCI)
DRV - (uts_bus) UTStarcom USB Composite Device driver (WDM) -- C:\WINDOWS\system32\drivers\uts_bus.sys (MCCI)
DRV - (uts_mdfl) -- C:\WINDOWS\system32\drivers\uts_mdfl.sys (MCCI Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (motmodem) -- C:\WINDOWS\system32\drivers\motmodem.sys (Motorola)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\extensions\\ff-bmboc@bytemobile.com: C:\Program Files\Cricket\Cricket Broadband\addon\ [2009/11/08 16:16:38 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/11/17 08:50:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Clearwire Connection Manager] C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe (ClearwireCM)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: eset.com ([www] http in Trusted sites)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.4 192.168.1.9
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\laptop\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\laptop\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/30 15:37:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 06:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/17 09:18:11 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2010/11/17 09:16:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\URTTEMP
[2010/11/17 08:44:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/11/17 08:41:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/11/17 08:41:21 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/11/17 08:41:21 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/11/17 08:41:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/11/17 08:41:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/11/17 08:40:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/11/16 16:27:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/11/16 16:25:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\laptop\Application Data\Avira
[2010/11/16 16:22:52 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/11/16 16:22:50 | 000,126,856 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/11/16 16:22:50 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/11/16 16:22:50 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/11/16 16:22:50 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/11/16 16:22:49 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/11/16 16:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/11/16 16:12:36 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/11/16 16:00:33 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/11/16 14:59:51 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\laptop\Desktop\OTL.scr
[2010/11/16 10:18:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\laptop\Desktop\asrasdf
[2010/11/16 10:17:45 | 000,719,574 | ---- | C] (UG North ) -- C:\Documents and Settings\laptop\Desktop\RkU3.8.388.590.exe
[2010/11/15 09:33:16 | 001,330,776 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\laptop\Desktop\tdsskiller.exe
[2010/11/12 14:50:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\laptop\Desktop\gmer
[2010/11/12 13:45:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/12 13:45:17 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/12 13:45:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/11/11 16:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\laptop\Application Data\SUPERAntiSpyware.com
[2010/11/11 16:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/10/28 17:37:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\laptop\Local Settings\Application Data\Deployment
[2010/09/22 23:32:14 | 001,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyserv.dll
[2010/09/22 23:32:14 | 000,995,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyusb1.dll
[2010/09/22 23:32:14 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyhbn3.dll
[2010/09/22 23:32:14 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcypmui.dll
[2010/09/22 23:32:14 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcylmpm.dll
[2010/09/22 23:32:14 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyinpa.dll
[2010/09/22 23:32:14 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyiesc.dll
[2010/09/22 23:32:14 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyhcp.dll
[2010/09/22 23:32:14 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcyprox.dll
[2010/09/22 23:32:14 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcypplc.dll
[2010/09/22 23:32:13 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcycomc.dll
[2010/09/22 23:32:13 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcycomm.dll
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/17 13:23:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/17 13:01:03 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/11/17 09:31:12 | 000,501,620 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/17 09:31:12 | 000,087,486 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/17 09:27:02 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/17 09:26:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/17 09:17:17 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/11/17 09:07:15 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/17 08:50:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/17 08:45:04 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/11/16 16:23:09 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/11/16 16:10:32 | 003,910,384 | R--- | M] () -- C:\Documents and Settings\laptop\Desktop\aaa.exe
[2010/11/16 14:55:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\laptop\Desktop\OTL.scr
[2010/11/15 09:43:06 | 011,802,408 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\SAS_404E.COM
[2010/11/15 09:37:47 | 000,943,104 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/11/15 09:37:46 | 000,745,472 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/11/15 09:27:22 | 001,330,776 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\laptop\Desktop\tdsskiller.exe
[2010/11/12 14:43:06 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\gmer.zip
[2010/11/12 14:42:18 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\dds.scr
[2010/11/12 13:58:24 | 000,000,720 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/11 16:39:16 | 000,000,335 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\FixExe.reg
[2010/11/11 16:36:14 | 000,364,032 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\iExplore.exe
[2010/11/11 16:30:16 | 000,000,228 | ---- | M] () -- C:\Documents and Settings\laptop\Desktop\shell.reg
[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/11/04 21:33:05 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\laptop\Application Data\start
[2010/10/28 20:02:58 | 000,001,838 | -H-- | M] () -- C:\Documents and Settings\laptop\My Documents\Default.rdp
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/17 08:45:04 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/11/17 08:45:01 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/11/17 08:41:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/11/17 08:41:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/11/17 08:41:21 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/11/17 08:41:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/11/17 08:41:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/11/17 08:40:14 | 003,910,384 | R--- | C] () -- C:\Documents and Settings\laptop\Desktop\aaa.exe
[2010/11/16 16:23:09 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/11/15 12:55:02 | 011,802,408 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\SAS_404E.COM
[2010/11/12 14:50:26 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\gmer.zip
[2010/11/12 14:47:37 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\dds.scr
[2010/11/12 13:51:07 | 000,364,032 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\iExplore.exe
[2010/11/12 13:45:21 | 000,000,720 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/12 08:44:56 | 000,000,335 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\FixExe.reg
[2010/11/11 16:47:35 | 000,000,228 | ---- | C] () -- C:\Documents and Settings\laptop\Desktop\shell.reg
[2010/11/04 20:49:00 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\laptop\Application Data\start
[2010/09/22 23:33:02 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcyvs.dll
[2010/09/22 23:33:00 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxcycoin.dll
[2010/09/22 23:32:37 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxcydrs.dll
[2010/09/22 23:32:37 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxcycaps.dll
[2010/09/22 23:32:36 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxcycnv4.dll
[2010/09/22 23:32:14 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\lxcyinst.dll
[2010/08/25 17:24:31 | 000,004,990 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
[2010/01/25 10:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2009/12/17 11:44:13 | 000,000,264 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/07/07 08:16:27 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\laptop\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/30 15:48:53 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/12/30 15:48:52 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/12/30 09:26:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/26 13:42:52 | 000,066,482 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/07/26 07:25:02 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2005/02/10 12:17:50 | 000,172,056 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2000/09/08 16:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll

< End of report >


OTL Extras logfile created on: 11/17/2010 1:36:55 PM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\laptop\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 55.23 Gb Free Space | 74.17% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.86 Gb Total Space | 0.05 Gb Free Space | 2.55% Space Free | Partition Type: FAT

Computer Name: HOME | User Name: laptop | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Logitech\QuickCam\Quickcam.exe" = C:\Program Files\Logitech\QuickCam\Quickcam.exe:*:Enabled:Quickcam -- ()
"C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe" = C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe:*:Enabled:YahooAUService -- (Yahoo! Inc.)
"C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe" = C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe:*:Enabled:LVPrcSrv -- (Logitech Inc.)
"C:\Program Files\Fortinet\FortiClient\FortiProxy.exe" = C:\Program Files\Fortinet\FortiClient\FortiProxy.exe:*:Enabled:FortiClient Proxy Service -- (Fortinet Inc.)
"C:\Program Files\Fortinet\FortiClient\ipsec.exe" = C:\Program Files\Fortinet\FortiClient\ipsec.exe:*:Enabled:FortiClient VPN Service -- (Fortinet Inc.)
"C:\Documents and Settings\laptop\temp\TeamViewer\Version5\TeamViewer.exe" = C:\Documents and Settings\laptop\temp\TeamViewer\Version5\TeamViewer.exe:*:Enabled:TeamViewer -- (TeamViewer GmbH)
"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe:*:Disabled:GoogleToolbarNotifier -- (Google Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- ()
"C:\WINDOWS\system32\lxcycoms.exe" = C:\WINDOWS\system32\lxcycoms.exe:*:Enabled:3400 Series Server -- ( )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{077AA014-B568-4FF8-B360-9ACE1A1F4571}" = CLEAR Connection Manager
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{154508C0-07C5-4659-A7A0-E49968750D21}" = HLPPDOCK
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2764CA82-DFB9-4498-AF85-719340BF5305}" = Dell Resource CD
"{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"{34D6AD5A-C03D-45FF-AA8A-8B306E01B96D}" = FortiClient Endpoint Security
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{38441BE7-79B0-42B8-8297-833704F949FE}" = HLPIndex
"{3AF8FCCD-F51A-4014-9002-F195E1CBC876}" = Logitech QuickCam
"{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}" = OTtBPSDK
"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2
"{48C82F7A-F100-4DAB-A310-8E18BF2159E1}" = ESSvpot
"{4F677FC7-7AA8-412B-A957-F13CBE1C7331}" = ESSSONIC
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{54C8FE84-89C4-40E8-976C-439EB0729BD6}" = CardRd81
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}" = ESSCT
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{9DBCF56A-CDF0-41bf-BE0F-E00A88B18F56}" = Cricket EVDO Modem
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}" = ESSvpaht
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADAC983-FDE9-42FA-8FD9-7BB324155593}" = HLPRFO
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B6FE57E6-E454-4F2A-94A0-87707FE190EF}" = Cricket Broadband
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CA60320D-6A16-49C8-A34F-84EEF4799567}" = ESSTUTOR
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E1E502E2-C006-49DB-9C0C-F2196E51826F}_is1" = Rootkit Unhooker LE 3.8 SR 2
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FDF9943A-3D5C-46B3-9679-586BD237DDEE}" = SKIN0001
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"ESET Online Scanner" = ESET Online Scanner v3
"Google Chrome" = Google Chrome
"ie8" = Windows Internet Explorer 8
"InstallShield_{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"InstallShield_{3C0619B4-4A2C-4244-8077-488E420DF907}" = FINAL FANTASY XI: Chains of Promathia
"InstallShield_{678F6475-D227-432A-94FF-806178A34520}" = FINAL FANTASY XI
"InstallShield_{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}" = FINAL FANTASY XI: Rise of the Zilart
"Lexmark 3400 Series" = Lexmark 3400 Series
"Loki ActiveX Control" = Loki ActiveX Control
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"QuickLink Mobile" = QuickLink Mobile
"QuickTime" = QuickTime
"SmileyCentralIE_1wbar Uninstall" = SmileyCentral
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"UTStarcom USB Modem" = UTStarcom USB Modem Software
"VLC media player" = VLC media player 1.0.3
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/17/2010 9:17:05 AM | Computer Name = HOME | Source = Google Update | ID = 20
Description =

Error - 11/4/2010 11:06:07 PM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.6024, faulting
module unknown, version 0.0.0.0, fault address 0x001a1e31.

Error - 11/4/2010 11:22:16 PM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.6024, faulting
module unknown, version 0.0.0.0, fault address 0x001a5f7a.

Error - 11/5/2010 7:40:52 AM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.6024, faulting
module unknown, version 0.0.0.0, fault address 0x002b5f7a.

Error - 11/11/2010 6:32:19 PM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.6024, faulting
module unknown, version 0.0.0.0, fault address 0x001a5f7a.

Error - 11/12/2010 11:13:43 AM | Computer Name = HOME | Source = MBAMService | ID = 131073
Description =

Error - 11/15/2010 11:31:52 AM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/15/2010 3:17:46 PM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15530, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/16/2010 6:00:49 PM | Computer Name = HOME | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 11/16/2010 6:01:37 PM | Computer Name = HOME | Source = crypt32 | ID = 131075
Description = Failed auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The server returned an invalid or unrecognized response

[ System Events ]
Error - 11/16/2010 6:22:05 PM | Computer Name = HOME | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 11/16/2010 6:22:05 PM | Computer Name = HOME | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\DOCUME~1\laptop\LOCALS~1\Temp\RarSFX0\redist.dll.
Reference
error message: The operation completed successfully. .

Error - 11/17/2010 10:40:45 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Process Monitor service terminated unexpectedly. It has done
this 1 time(s).

Error - 11/17/2010 10:45:34 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Dell Wireless WLAN Tray Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/17/2010 10:50:56 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 11/17/2010 10:51:02 AM | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service LogMeIn with
arguments "" in order to run the server: {C3ADA61A-4E0E-48D4-A2B1-AE5F76D01044}

Error - 11/17/2010 11:22:24 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7031
Description = The COM+ System Application service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 11/17/2010 11:27:15 AM | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service LogMeIn with
arguments "" in order to run the server: {C3ADA61A-4E0E-48D4-A2B1-AE5F76D01044}

Error - 11/17/2010 11:27:45 AM | Computer Name = HOME | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service LogMeIn with
arguments "" in order to run the server: {C3ADA61A-4E0E-48D4-A2B1-AE5F76D01044}

Error - 11/17/2010 11:28:46 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL


< End of report >

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:26 AM

Posted 18 November 2010 - 03:48 AM

Hi jdickherber,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 22 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 22 (JDK or JRE).
  • Click the "Download JRE" button to the right.
  • select 'Windows' from the Platform down arrow.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click Continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586-p.exe to install the newest version.

Also let me know how the system is running now .... any problems?

BBPP6nz.png


#9 jdickherber

jdickherber
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 18 November 2010 - 09:37 AM

I was already taking care of that while I was awaiting your reply :thumbup2: . I uninstalled the outdated Java, Adobe Reader, Adobe Flash, and installed the latest versions. I also scanned with Secunia PSI and my score is 100%. The computer is running fine now. If my logs show no further rootkit activity, you may close/lock this thread.

Thank you very much for your assistance.

#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:26 AM

Posted 18 November 2010 - 11:42 AM

Hi jdickherber,

The computer is running fine now. If my logs show no further rootkit activity, you may close/lock this thread.

That's good to hear.
Let's finish off and remove the tools we used.

Step 1
  • Please double-click OTL.exe to run it.
  • You should see a CleanUp! button, press that button,

    Posted Image
  • This will remove any programs we have asked you to download along with there associated folders.. plus itself.

Note:
MBAM will not be removed


Step 2
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Select the drive for cleaning then click OK (usually 'C' drive)
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


To find out how you may have been infected....read this topic:
So how did i get infected?

Not all of the following information will be applicable to you, but it's still best to read it all.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software

    Note*:
    Upon installation MS Security Essentials will check that your OS is a legal copy.

    Only install one AntiVirus program
  • Update your AntiVirus Software regularly
  • Use a 3rd party Firewall
    NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option.

    Only install one software Firewall

    Some 3rd party Firewalls will turn off the windows firewall when they are installed.
    It's always best to check that the Windows Firewall is turned off:

    How to turn off Windows Firewall:
    Start ... Control Panel ...click on 'Classic View'.
    now select Windows Firewall.
    When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok
  • Scan regularly with a 'Stand Alone' Anti-Malware scanner:
    Installing another scanner that you can run once or twice a week is always beneficial.
    Something like:
    Malwarebytes Anti-Malware
    SUPERAntiSypware
    Remember to update these programs each time before running.
    You can install more than one of these if you only run them as stand alone programs.
  • Use an alternative browser:
    Some excellent alternatives to MS Internet Explorer are:

    Firefox
    For added security, add the NoScript extension to this browser:
    Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks
    also consider adding:
    WOT - Safe Browsing Tool

    Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.
    Btw: you don't have to make a contribution.

    Opera

    They offer better security, more stability, and better speed.
  • Keep a backup of your registry
    Keeping a regular backup of your registry will help when something goes wrong.
    Use a program like:
    Erunt

    A full tutorial on how to set up and use Erunt can be found here:
    Erunt tutorial
  • Keep your system clean of temp files etc, using a 'Cleaner':

    Cleaners are programs that will help to clean out your:
    Windows temp files
    Current user temp files
    Cookies
    Temporary Internet flies
    Browser history
    Recycle bin
    Etc.......
    In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.
    Programs like:
    CCleaner
    TFC by OldTimer
    ATF Cleaner
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:
    Using and installing SpywareBlaster
  • Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Safe surfing. Posted Image

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users