Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: North Korea's Elites Are Ditching Facebook for Chinese Social Networks

Featured Deal: Pay What You Want: The 2018 Machine Learning Bundle Deal

Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks

Started by gvalcho , Dec 03 2010 10:32 AM

Please log in to reply

21 replies to this topic

#1 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #1$ gvalcho

Members
15 posts
OFFLINE

Local time:09:50 PM

Posted 03 December 2010 - 10:32 AM

For the past couple of months I've had the Rootkit mentioned in the title of this post. When it appears I run TDSSKiller and it "cures" the Rootkit infection after a reboot. I typically discover the Rootkit is active because I get extra activity in IE8. IE8 will start running something, usually when I open a third tab, and when it's finished I have a virus. The viruses are easily cleaned with Microsoft Essentials or MalwareBytes. I've had the following viruses (all cleaned) Fake Security Essentials, Hiloti.gen!D, WhiteSmoke, Alureon.A. Each time the virus is cleaned the PC is good again for two weeks, then the Rootkit activates and I get a new virus.

I just ran TDSSkiller, rebooted and cleaned up Alureon.A this morning. Therefore I thought this would be a good time to ask for your assistance. Maybe with your help I can get this PC cleaned before the next infection.

Details: Dell Dimension E510 running Windows XP.

Thank you in advance for your assistance!

George

The DSS and TDSSKiller logs you requested are attached! GMER is still running. I'll post it next.

George

DDS (Ver_10-11-27.01) - NTFSx86
Run by George Valcho at 10:19:03.70 on Fri 12/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.454 [GMT -6:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Documents and Settings\George Valcho\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.drudgereport.com/
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [AdobeBridge]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [SE11] c:\program files\secess\SE11.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet

explorer\0.5.36.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: fastestdeploy.com
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
Trusted Zone: fastestdeploy.com
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://gvsportsphotography.exposuremanager.com/uploader/ImageUploader5.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://gvsportsphotography.exposuremanager.com/uploader/ImageUploader4.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://gvsportsphotography.exposuremanager.com/ImageUploader3.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} - hxxp://www.candystand.com/assets/activex/virtools/CacheManager.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\george valcho\application

data\mozilla\firefox\profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\george valcho\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\george valcho\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwbe.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Starfield Zoom: zoomext@starfield - c:\program files\mozilla firefox\extensions\zoomext@starfield
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} -

c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Extension: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description

about=urn:mozilla:install-manifest><em:id>fbdislike@doweb.fr: fbdislike@doweb.fr -

c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\fbdislike@doweb.fr
FF - Extension: Copy Plain Text: {723AAF16-AF1F-4404-A5D7-0BFE39766605} -

c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\{723AAF16-AF1F-4404-A5D7-0BFE39766605}
FF - Extension: Auto Copy: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F} -

c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - Extension: Personas: personas@christopher.beard -

c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\personas@christopher.beard
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} -

c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Firebug: firebug@software.joehewitt.com -

c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\firebug@software.joehewitt.com

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-5-12 2944]
R3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-5-12 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2006-5-12 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2000-2-24 10908]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-3-25 28672]
S2 gupdate1c92027b42b3074;Google Update Service (gupdate1c92027b42b3074);c:\program files\google\update\GoogleUpdate.exe [2008-9-26 133104]
S2 PEVSystemStart;PEVSystemStart;c:\oldcombofix\PEV.cfxxe [2010-11-6 256512]
S3 SNPP202;PC Camera (6028 VGA);c:\windows\system32\drivers\snpp202.sys [2010-7-1 236544]

=============== Created Last 30 ================

2010-12-03 04:29:07 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition

updates\{30cbfd85-2cb3-4408-8d44-f42be678814d}\mpengine.dll
2010-12-01 03:30:30 -------- d-----w- C:\TDSSKiller_Quarantine
2010-11-30 19:52:26 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-10 15:47:58 -------- d-----w- C:\bd_logs
2010-11-10 01:38:36 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-11-09 16:41:06 -------- d-sh--w- c:\documents and settings\george valcho\UserData
2010-11-06 23:24:07 -------- d-----w- c:\program files\ESET
2010-11-06 17:42:01 -------- d-s---w- C:\OldComboFix

==================== Find3M ====================

2010-11-06 12:30:54 0 ----a-w- c:\windows\Yputeviw.bin
2010-11-03 23:36:29 88064 ----a-w- c:\windows\MBR.exe
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 10:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 08:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

============= FINISH: 10:20:38.26 ===============

2010/12/02 21:36:19.0875 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/12/02 21:36:19.0875 ================================================================================
2010/12/02 21:36:19.0875 SystemInfo:
2010/12/02 21:36:19.0875
2010/12/02 21:36:19.0875 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/02 21:36:19.0875 Product type: Workstation
2010/12/02 21:36:19.0875 ComputerName: D5VF0Z91
2010/12/02 21:36:19.0875 UserName: George Valcho
2010/12/02 21:36:19.0875 Windows directory: C:\WINDOWS
2010/12/02 21:36:19.0875 System windows directory: C:\WINDOWS
2010/12/02 21:36:19.0875 Processor architecture: Intel x86
2010/12/02 21:36:19.0875 Number of processors: 2
2010/12/02 21:36:19.0875 Page size: 0x1000
2010/12/02 21:36:19.0875 Boot type: Normal boot
2010/12/02 21:36:19.0875 ================================================================================
2010/12/02 21:36:21.0421 Initialize success
2010/12/02 21:36:24.0531 ================================================================================
2010/12/02 21:36:24.0531 Scan started
2010/12/02 21:36:24.0531 Mode: Manual;
2010/12/02 21:36:24.0531 ================================================================================
2010/12/02 21:36:29.0765 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/12/02 21:36:30.0390 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/02 21:36:30.0687 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/02 21:36:30.0843 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/02 21:36:31.0031 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/02 21:36:31.0140 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/02 21:36:31.0234 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/02 21:36:31.0484 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/12/02 21:36:31.0968 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/12/02 21:36:32.0281 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/02 21:36:32.0484 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/02 21:36:32.0593 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/12/02 21:36:32.0718 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/12/02 21:36:32.0828 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/12/02 21:36:33.0015 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/12/02 21:36:33.0203 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/12/02 21:36:33.0390 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/12/02 21:36:33.0593 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/12/02 21:36:33.0765 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/02 21:36:33.0890 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/02 21:36:34.0562 ati2mtag (a7dd7088e2c987dbcb3f4d6d56f723bd) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/02 21:36:35.0062 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/02 21:36:35.0187 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/02 21:36:35.0265 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/02 21:36:35.0453 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys
2010/12/02 21:36:35.0671 BrSerWDM (8e06cd96e00472c03770a697d04031c0) C:\WINDOWS\system32\Drivers\BrSerWdm.sys
2010/12/02 21:36:35.0781 BrUsbMdm (37e2d0b12ddf536cd64af6eb3b580ef8) C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
2010/12/02 21:36:35.0937 BrUsbScn (b8cd37e3c00a0049270177e4ee015f0f) C:\WINDOWS\system32\Drivers\BrUsbScn.sys
2010/12/02 21:36:36.0109 BVRPMPR5 (6598d078d5446197aed6b46c6a2a3431) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2010/12/02 21:36:36.0734 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/12/02 21:36:36.0812 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/02 21:36:37.0093 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/02 21:36:37.0218 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/12/02 21:36:37.0343 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/02 21:36:37.0656 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/02 21:36:37.0859 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/02 21:36:38.0000 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/12/02 21:36:38.0156 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/12/02 21:36:38.0375 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/12/02 21:36:38.0656 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/12/02 21:36:38.0828 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/02 21:36:39.0046 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/12/02 21:36:39.0156 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/12/02 21:36:39.0250 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
2010/12/02 21:36:39.0328 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/12/02 21:36:39.0578 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/12/02 21:36:39.0703 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/12/02 21:36:39.0906 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2010/12/02 21:36:40.0046 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/12/02 21:36:40.0187 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/12/02 21:36:40.0734 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/02 21:36:41.0093 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/02 21:36:41.0437 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/02 21:36:41.0765 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/02 21:36:42.0375 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/02 21:36:42.0625 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/02 21:36:42.0984 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/12/02 21:36:43.0250 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/12/02 21:36:43.0546 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2010/12/02 21:36:44.0281 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2010/12/02 21:36:44.0906 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/02 21:36:45.0484 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/02 21:36:46.0140 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/02 21:36:46.0593 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/02 21:36:47.0421 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/02 21:36:47.0984 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/02 21:36:48.0468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/02 21:36:49.0328 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/02 21:36:49.0921 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/02 21:36:50.0343 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/02 21:36:51.0031 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/02 21:36:51.0718 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/02 21:36:52.0562 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/12/02 21:36:53.0281 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/12/02 21:36:54.0734 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/12/02 21:36:57.0046 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/02 21:36:58.0187 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/02 21:36:59.0078 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/12/02 21:37:00.0093 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/02 21:37:00.0953 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/02 21:37:01.0546 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/12/02 21:37:02.0140 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/02 21:37:02.0609 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/02 21:37:03.0218 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/02 21:37:03.0750 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/02 21:37:04.0187 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/02 21:37:04.0781 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/02 21:37:05.0437 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/02 21:37:06.0015 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/02 21:37:06.0546 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/02 21:37:07.0125 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/02 21:37:07.0687 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/02 21:37:08.0218 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/02 21:37:08.0703 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/02 21:37:09.0312 libusb0 (34d6730e198a5b0fce0790a6b4769ef2) C:\WINDOWS\system32\drivers\libusb0.sys
2010/12/02 21:37:09.0890 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/02 21:37:10.0406 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
2010/12/02 21:37:11.0031 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/02 21:37:11.0546 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/02 21:37:12.0125 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/12/02 21:37:12.0687 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/02 21:37:13.0359 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/02 21:37:14.0218 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/02 21:37:14.0859 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/12/02 21:37:15.0484 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/12/02 21:37:16.0062 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2010/12/02 21:37:16.0921 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
2010/12/02 21:37:17.0421 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
2010/12/02 21:37:17.0828 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2010/12/02 21:37:18.0468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/02 21:37:19.0125 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/02 21:37:19.0921 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/02 21:37:20.0359 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/02 21:37:21.0015 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/02 21:37:21.0578 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/02 21:37:22.0140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/02 21:37:22.0671 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/02 21:37:23.0109 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/02 21:37:23.0593 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/02 21:37:24.0328 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/02 21:37:24.0781 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/02 21:37:25.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/02 21:37:25.0671 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/02 21:37:26.0125 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/02 21:37:26.0796 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/02 21:37:27.0312 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/02 21:37:27.0875 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/02 21:37:28.0843 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/02 21:37:29.0421 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/02 21:37:30.0312 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/02 21:37:31.0343 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/02 21:37:33.0125 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/02 21:37:33.0734 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/02 21:37:34.0265 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/02 21:37:34.0875 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/02 21:37:35.0203 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/02 21:37:35.0843 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/02 21:37:36.0734 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/02 21:37:37.0250 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/02 21:37:37.0843 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/12/02 21:37:38.0437 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/12/02 21:37:39.0046 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/02 21:37:39.0625 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/02 21:37:40.0312 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/02 21:37:40.0843 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/02 21:37:41.0390 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/12/02 21:37:41.0937 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/12/02 21:37:42.0562 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/12/02 21:37:43.0078 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/12/02 21:37:43.0609 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/12/02 21:37:44.0203 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/02 21:37:44.0781 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/02 21:37:45.0296 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/02 21:37:45.0843 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/02 21:37:46.0375 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/02 21:37:47.0015 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/02 21:37:47.0546 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/02 21:37:48.0453 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/02 21:37:49.0046 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/02 21:37:49.0765 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/02 21:37:50.0515 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/02 21:37:51.0093 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/02 21:37:51.0546 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/02 21:37:52.0531 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/12/02 21:37:53.0046 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/12/02 21:37:53.0703 SNPP202 (bc24e70b754621621d84e1480748e19d) C:\WINDOWS\system32\DRIVERS\snpp202.sys
2010/12/02 21:37:54.0453 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/12/02 21:37:55.0078 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/02 21:37:55.0625 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/02 21:37:56.0109 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/02 21:37:57.0171 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
2010/12/02 21:37:58.0703 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/12/02 21:37:59.0234 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/02 21:37:59.0734 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/02 21:38:00.0328 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/02 21:38:00.0828 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/02 21:38:01.0296 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/02 21:38:01.0609 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/02 21:38:02.0218 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/02 21:38:02.0671 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/02 21:38:03.0015 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/02 21:38:03.0468 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/02 21:38:03.0937 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/02 21:38:04.0421 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/12/02 21:38:04.0640 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/02 21:38:04.0765 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/12/02 21:38:04.0890 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/02 21:38:05.0078 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/02 21:38:05.0171 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/02 21:38:05.0250 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/02 21:38:05.0375 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/02 21:38:05.0468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/02 21:38:05.0546 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/02 21:38:05.0640 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/02 21:38:05.0796 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/02 21:38:05.0906 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/02 21:38:05.0984 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/12/02 21:38:06.0046 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/02 21:38:06.0125 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/02 21:38:06.0171 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/02 21:38:06.0328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/02 21:38:06.0390 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/02 21:38:06.0609 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/12/02 21:38:06.0703 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/12/02 21:38:06.0781 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/12/02 21:38:06.0859 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/02 21:38:06.0921 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/02 21:38:06.0984 ================================================================================
2010/12/02 21:38:06.0984 Scan finished
2010/12/02 21:38:06.0984 ================================================================================
2010/12/02 21:38:12.0703 Deinitialize success

In Step 9 of the Preparation Guide it asks that the attach.txt file be attached, so here it is!

The GMER process finally finished! 4.5 hours. The output is attached.

George

Attached Files

Attach.txt 26.49KB 1 downloads
ark.txt 7.08KB 2 downloads

Edited by boopme, 04 December 2010 - 06:08 PM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #2$ gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:11:50 PM

Posted 10 December 2010 - 03:53 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:

Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.
- Double-Click on dds.scr and a command window will appear. This is normal.
- Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

Please Download Rootkit Unhooker Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

In your next post I need the following

.logs from DDS
log from RKUnHooker
let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #3$ gvalcho

Topic Starter

Members
15 posts
OFFLINE

Local time:09:50 PM

Posted 10 December 2010 - 07:49 AM

Hi Gringo, thank you so much for your assistance. The logs you requested are inserted.

George

DDS Log

DDS (Ver_10-12-05.01) - NTFSx86
Run by George Valcho at 6:29:13.81 on Fri 12/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.509 [GMT -6:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\George Valcho\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.drudgereport.com/
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [AdobeBridge]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [SE11] c:\program files\secess\SE11.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: fastestdeploy.com
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
Trusted Zone: fastestdeploy.com
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://gvsportsphotography.exposuremanager.com/uploader/ImageUploader5.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://gvsportsphotography.exposuremanager.com/uploader/ImageUploader4.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://gvsportsphotography.exposuremanager.com/ImageUploader3.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} - hxxp://www.candystand.com/assets/activex/virtools/CacheManager.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\george valcho\application data\mozilla\firefox\profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\george valcho\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\george valcho\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwbe.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Starfield Zoom: zoomext@starfield - c:\program files\mozilla firefox\extensions\zoomext@starfield
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Extension: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>fbdislike@doweb.fr: fbdislike@doweb.fr - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\fbdislike@doweb.fr
FF - Extension: Copy Plain Text: {723AAF16-AF1F-4404-A5D7-0BFE39766605} - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\{723AAF16-AF1F-4404-A5D7-0BFE39766605}
FF - Extension: Auto Copy: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F} - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - Extension: Personas: personas@christopher.beard - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\personas@christopher.beard
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Firebug: firebug@software.joehewitt.com - c:\docume~1\george~1\applic~1\mozilla\firefox\profiles\bpuh3etg.default\extensions\firebug@software.joehewitt.com

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-5-12 2944]
R3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-5-12 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2006-5-12 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2000-2-24 10908]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2009-3-25 28672]
S2 gupdate1c92027b42b3074;Google Update Service (gupdate1c92027b42b3074);c:\program files\google\update\GoogleUpdate.exe [2008-9-26 133104]
S2 PEVSystemStart;PEVSystemStart;c:\oldcombofix\PEV.cfxxe [2010-11-6 256512]
S3 SNPP202;PC Camera (6028 VGA);c:\windows\system32\drivers\snpp202.sys [2010-7-1 236544]

=============== Created Last 30 ================

2010-12-10 02:33:10 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{17385378-c22f-4528-8537-1eb90b850106}\mpengine.dll
2010-12-01 03:30:30 -------- d-----w- C:\TDSSKiller_Quarantine
2010-11-30 19:52:26 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-10 15:47:58 -------- d-----w- C:\bd_logs

==================== Find3M ====================

2010-11-06 12:30:54 0 ----a-w- c:\windows\Yputeviw.bin
2010-11-03 23:36:29 88064 ----a-w- c:\windows\MBR.exe
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 10:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 08:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 6:30:35.23 ===============

ATTACH Log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/11/2006 04:52:34 PM
System Uptime: 12/6/2010 08:26:01 PM (82 hours ago)

Motherboard: Dell Inc. | | 0WG261
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 63.595 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: TI Technologies Inc.
Description: RADEON X600 256MB HyperMemory Secondary
Device ID: PCI\VEN_1002&DEV_5B72&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON X600 256MB HyperMemory Secondary
PNP Device ID: PCI\VEN_1002&DEV_5B72&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Service: ati2mtag

==== System Restore Points ===================

RP1: 10/4/2010 08:18:06 AM - System Checkpoint
RP2: 10/4/2010 11:57:27 AM - Removed Adobe Media Player
RP3: 10/4/2010 11:57:55 AM - Configured CinepPlayer 30 Update
RP4: 10/4/2010 11:58:17 AM - Removed Dell CinePlayer
RP5: 10/4/2010 11:58:54 AM - Removed Games, Music, & Photos Launcher
RP6: 10/4/2010 11:59:52 AM - Removed Microsoft Office Live Meeting 2007
RP7: 10/4/2010 12:01:15 PM - Removed Steam
RP8: 10/4/2010 12:03:07 PM - Removed Windows Live Messenger
RP9: 10/4/2010 12:08:47 PM - Removed EducateU
RP10: 10/4/2010 11:17:40 PM - Software Distribution Service 3.0
RP11: 10/5/2010 10:09:41 PM - Software Distribution Service 3.0
RP12: 10/7/2010 06:38:47 AM - System Checkpoint
RP13: 10/8/2010 06:21:53 AM - Software Distribution Service 3.0
RP14: 10/9/2010 11:57:44 AM - System Checkpoint
RP15: 10/10/2010 02:23:29 PM - Software Distribution Service 3.0
RP16: 10/11/2010 06:39:54 PM - Software Distribution Service 3.0
RP17: 10/12/2010 09:22:33 AM - Removed OpenOffice.org 3.0
RP18: 10/12/2010 09:25:35 AM - Installed OpenOffice.org 3.2
RP19: 10/13/2010 05:15:00 AM - Software Distribution Service 3.0
RP20: 10/14/2010 03:00:27 AM - Software Distribution Service 3.0
RP21: 10/14/2010 01:50:42 PM - Software Distribution Service 3.0
RP22: 10/14/2010 02:04:28 PM - Software Distribution Service 3.0
RP23: 10/15/2010 01:54:41 PM - Software Distribution Service 3.0
RP24: 10/18/2010 11:38:30 AM - Software Distribution Service 3.0
RP25: 10/19/2010 11:41:04 AM - Software Distribution Service 3.0
RP26: 10/20/2010 11:45:09 AM - System Checkpoint
RP27: 10/20/2010 11:57:43 AM - Software Distribution Service 3.0
RP28: 10/21/2010 11:58:07 AM - Software Distribution Service 3.0
RP29: 10/22/2010 11:57:09 AM - Software Distribution Service 3.0
RP30: 10/23/2010 11:57:51 AM - Software Distribution Service 3.0
RP31: 10/24/2010 01:54:22 AM - Software Distribution Service 3.0
RP32: 10/24/2010 11:57:42 AM - Software Distribution Service 3.0
RP33: 10/25/2010 11:58:39 AM - Software Distribution Service 3.0
RP34: 10/26/2010 12:03:14 PM - System Checkpoint
RP35: 10/27/2010 06:23:09 AM - Software Distribution Service 3.0
RP36: 10/27/2010 02:49:55 PM - Printer Driver Microsoft Office Document Image Writer Installed
RP37: 10/28/2010 06:22:42 AM - Software Distribution Service 3.0
RP38: 10/29/2010 06:22:42 AM - Software Distribution Service 3.0
RP39: 10/30/2010 06:23:17 AM - Software Distribution Service 3.0
RP40: 10/31/2010 01:43:02 AM - Software Distribution Service 3.0
RP41: 11/1/2010 02:21:03 AM - System Checkpoint
RP42: 11/1/2010 06:23:26 AM - Software Distribution Service 3.0
RP43: 11/2/2010 06:22:44 AM - Software Distribution Service 3.0
RP44: 11/3/2010 06:23:19 AM - Software Distribution Service 3.0
RP45: 11/4/2010 06:23:57 AM - Software Distribution Service 3.0
RP46: 11/4/2010 09:02:51 AM - Software Distribution Service 3.0
RP47: 11/5/2010 07:09:16 AM - Software Distribution Service 3.0
RP48: 11/5/2010 09:47:46 PM - Software Distribution Service 3.0
RP49: 11/6/2010 06:09:12 PM - Software Distribution Service 3.0
RP50: 11/7/2010 02:30:53 AM - Software Distribution Service 3.0
RP51: 11/7/2010 02:43:12 PM - Software Distribution Service 3.0
RP52: 11/8/2010 03:46:10 PM - System Checkpoint
RP53: 11/8/2010 11:24:24 PM - Software Distribution Service 3.0
RP54: 11/9/2010 07:24:48 AM - Software Distribution Service 3.0
RP55: 11/10/2010 03:00:22 AM - Software Distribution Service 3.0
RP56: 11/10/2010 07:24:51 AM - Software Distribution Service 3.0
RP57: 11/11/2010 03:00:25 AM - Software Distribution Service 3.0
RP58: 11/11/2010 11:27:33 AM - Software Distribution Service 3.0
RP59: 11/12/2010 01:58:01 PM - System Checkpoint
RP60: 11/12/2010 07:53:34 PM - Installed WinZip 15.0
RP61: 11/13/2010 06:15:02 AM - Software Distribution Service 3.0
RP62: 11/14/2010 02:01:06 AM - Software Distribution Service 3.0
RP63: 11/14/2010 11:08:29 PM - Software Distribution Service 3.0
RP64: 11/15/2010 06:12:18 AM - Software Distribution Service 3.0
RP65: 11/15/2010 12:04:23 PM - Installed Java™ 6 Update 22
RP66: 11/16/2010 12:15:08 PM - Software Distribution Service 3.0
RP67: 11/17/2010 12:17:12 PM - Software Distribution Service 3.0
RP68: 11/18/2010 12:15:30 PM - Software Distribution Service 3.0
RP69: 11/19/2010 12:47:37 PM - System Checkpoint
RP70: 11/20/2010 08:21:23 AM - Software Distribution Service 3.0
RP71: 11/21/2010 01:36:05 AM - Software Distribution Service 3.0
RP72: 11/21/2010 02:15:21 PM - Software Distribution Service 3.0
RP73: 11/22/2010 02:16:17 PM - Software Distribution Service 3.0
RP74: 11/22/2010 11:03:11 PM - Software Distribution Service 3.0
RP75: 11/23/2010 02:16:51 PM - Software Distribution Service 3.0
RP76: 11/27/2010 11:38:05 AM - Software Distribution Service 3.0
RP77: 11/28/2010 02:03:49 AM - Software Distribution Service 3.0
RP78: 11/28/2010 11:32:19 AM - Software Distribution Service 3.0
RP79: 11/29/2010 11:34:11 AM - Software Distribution Service 3.0
RP80: 11/30/2010 03:06:32 PM - System Checkpoint
RP81: 12/1/2010 03:38:58 PM - System Checkpoint
RP82: 12/1/2010 09:41:20 PM - Software Distribution Service 3.0
RP83: 12/2/2010 10:05:00 PM - System Checkpoint
RP84: 12/2/2010 10:28:49 PM - Software Distribution Service 3.0
RP85: 12/3/2010 10:23:55 PM - Software Distribution Service 3.0
RP86: 12/4/2010 11:07:42 PM - System Checkpoint
RP87: 12/5/2010 01:47:43 AM - Software Distribution Service 3.0
RP88: 12/5/2010 07:11:19 PM - Software Distribution Service 3.0
RP89: 12/6/2010 11:07:19 AM - Software Distribution Service 3.0
RP90: 12/6/2010 07:11:31 PM - Software Distribution Service 3.0
RP91: 12/7/2010 07:12:04 PM - System Checkpoint
RP92: 12/7/2010 08:32:58 PM - Software Distribution Service 3.0
RP93: 12/8/2010 08:32:47 PM - Software Distribution Service 3.0
RP94: 12/9/2010 08:33:04 PM - Software Distribution Service 3.0

==== Installed Programs ======================

7-Zip 4.57
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.0
Adobe Photoshop Elements 4.0
Adobe Reader 7.0.9
Adobe Shockwave Player 11
Amaya
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Toolbar
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Bonjour
Business Plan Pro 2002
Cache ODBC
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon EOS 5D WIA Driver
Canon EOS Kiss REBEL 300D WIA Driver
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.2
Canon Utilities Easy-PhotoPrint EX
Canon Utilities EOS Utility
Canon Utilities File Viewer Utility 1.3
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RemoteCapture 2.7
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Carbonite
CCleaner
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Download Manager
Dell Driver Reset Tool
Dell Media Experience
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
ELIcon
ESET Online Scanner v3
Facebook Plug-In
File Viewer Utility 1.3.2
FileZilla Client 3.3.5.1
Google Chrome
Google Earth Plug-in
Google Gears
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImageMixer 3 SE for SD
ImgBurn
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
iPhone Configuration Utility
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java™ 6 Update 22
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
LameACM
LibUSB-Win32-0.1.12.1
Malwarebytes' Anti-Malware
MalwareRemovalBot
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Baseline Security Analyzer 2.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Modem Helper
Mozilla Firefox (3.6.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multiple Image Resizer .NET
NetWaiting
NetZeroInstallers
OGA Notifier 2.0.0048.0
OpenOffice.org 3.2
ParetoLogic PC Health Advisor
PC Camera (6028 VGA)
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Prism Video Converter
QuickBooks Simple Start Edition
QuickFreedom 1.1.0
QuickTime
RealPlayer
RegCure
RemoteCapture 2.7.5
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic Activation Module
SWiSH Max3
SWiSH miniMax3
TaxCut Louisiana 2007
TaxCut Premium + Efile 2008
TaxCut Premium + State 2007
TurboTax Deluxe 2005
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
Web-Based Email Tools
WebFldrs XP
WexTech AnswerWorks
Whitesmoke Translator
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinZip 15.0

==== Event Viewer Messages From Past Week ========

12/8/2010 08:24:35 PM, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.A&threatid=2147636949 User: NT AUTHORITY\SYSTEM Name: Trojan:DOS/Alureon.A ID: 2147636949 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Status: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website. Signature Version: AV: 1.95.1341.0, AS: 1.95.1341.0 Engine Version: 1.1.6402.0
12/8/2010 05:13:13 PM, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Java/OpenConnection.HH&threatid=2147639213 User: D5VF0Z91\George Valcho Name: TrojanDownloader:Java/OpenConnection.HH ID: 2147639213 Severity: Severe Category: Trojan Downloader Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.1341.0, AS: 1.95.1341.0 Engine Version: 1.1.6402.0
12/8/2010 05:13:13 PM, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Java/CVE-2010-0094.AF&threatid=2147640413 User: D5VF0Z91\George Valcho Name: Exploit:Java/CVE-2010-0094.AF ID: 2147640413 Severity: Severe Category: Exploit Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.95.1341.0, AS: 1.95.1341.0 Engine Version: 1.1.6402.0
12/8/2010 04:17:49 AM, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.A&threatid=2147636949 User: NT AUTHORITY\SYSTEM Name: Trojan:DOS/Alureon.A ID: 2147636949 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Status: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website. Signature Version: AV: 1.95.1341.0, AS: 1.95.1341.0 Engine Version: 1.1.6402.0
12/8/2010 02:10:24 AM, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.A&threatid=2147636949 User: NT AUTHORITY\SYSTEM Name: Trojan:DOS/Alureon.A ID: 2147636949 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Status: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website. Signature Version: AV: 1.95.1341.0, AS: 1.95.1341.0 Engine Version: 1.1.6402.0
12/6/2010 11:07:55 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB972696 (Definition 1.95.1256.0).
12/6/2010 11:07:31 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1203.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80070643 Error description: Fatal error during installation.
12/6/2010 11:07:28 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.95.1256.0 Previous Signature Version: 1.95.1203.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiVirus Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6402.0 Previous Engine Version: 1.1.6402.0 Error code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support.
12/6/2010 11:07:28 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.95.1256.0 Previous Signature Version: 1.95.1203.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiSpyware Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6402.0 Previous Engine Version: 1.1.6402.0 Error code: 0x8050a005 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support.
12/6/2010 09:53:59 AM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library Multi Flash Reader USB Device.
12/6/2010 07:12:24 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB972696 (Definition 1.95.1268.0).
12/6/2010 07:11:47 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1203.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80070643 Error description: Fatal error during installation.
12/6/2010 07:11:43 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.95.1268.0 Previous Signature Version: 1.95.1203.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiVirus Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6402.0 Previous Engine Version: 1.1.6402.0 Error code: 0x8050800c Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
12/6/2010 07:11:43 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.95.1268.0 Previous Signature Version: 1.95.1203.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiSpyware Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6402.0 Previous Engine Version: 1.1.6402.0 Error code: 0x8050800c Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
12/5/2010 07:12:41 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB972696 (Definition 1.95.1218.0).
12/5/2010 07:11:53 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1203.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80070643 Error description: Fatal error during installation.
12/5/2010 07:11:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.95.1218.0 Previous Signature Version: 1.95.1203.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiVirus Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6402.0 Previous Engine Version: 1.1.6402.0 Error code: 0x8050800c Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
12/5/2010 07:11:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: 1.95.1218.0 Previous Signature Version: 1.95.1203.0 Update Source: User Update Stage: Install Source Path: Signature Type: AntiSpyware Update Type: Delta User: NT AUTHORITY\SYSTEM Current Engine Version: 1.1.6402.0 Previous Engine Version: 1.1.6402.0 Error code: 0x8050800c Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
12/4/2010 07:05:49 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the CarboniteService service, but this action failed with the following error: An instance of the service is already running.
12/4/2010 07:04:50 PM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/3/2010 01:28:01 AM, error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.A&threatid=2147636949 User: NT AUTHORITY\SYSTEM Name: Trojan:DOS/Alureon.A ID: 2147636949 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Status: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website. Signature Version: AV: 1.95.1065.0, AS: 1.95.1065.0 Engine Version: 1.1.6402.0

==== End Of File ===========================

RootKit Unhooker Report Log

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF0C9000 C:\WINDOWS\System32\ati3duag.dll 2637824 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7099000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1560576 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF6EE3000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xEEC20000 C:\WINDOWS\system32\drivers\sthda.sys 1015808 bytes (SigmaTel, Inc., NDRC)
0xBF34D000 C:\WINDOWS\System32\ativvaxx.dll 864256 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF6E3C000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF72B6000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEE952000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6D38000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEEA85000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEBE66000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 270336 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF054000 C:\WINDOWS\System32\ati2cqag.dll 258048 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF093000 C:\WINDOWS\System32\atikvmag.dll 221184 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xF7005000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF6DBE000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7423000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEC419000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7289000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB8CA0000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEE9C2000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF705D000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xEEA37000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF73CD000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF6E16000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xEEA5F000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xEB55A000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xEEBFC000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7039000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6FE2000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEEB11000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 143360 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xEE9ED000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7395000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF73F3000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF726F000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF73B5000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEC7A4000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0xEE912000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7356000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6DFF000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEC7BC000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xEC78E000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF736D000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0xEC2EC000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7085000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEEADE000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7343000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7383000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7412000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6DEE000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7792000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF76E2000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF75D2000 C:\WINDOWS\system32\DRIVERS\mf.sys 65536 bytes (Microsoft Corporation, Multifunction Enumerator)
0xF75E2000 C:\WINDOWS\System32\Drivers\BrSerWdm.sys 61440 bytes (Brother Industries Ltd., Brother Serial driver (WDM version))
0xF7662000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF76F2000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xEC4DE000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7682000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7592000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF77C2000 C:\WINDOWS\system32\drivers\libusb0.sys 53248 bytes (http://libusb-win32.sourceforge.net, LibUSB-Win32 - Kernel Driver)
0xF7752000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7572000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF77A2000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7762000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF76D2000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7562000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7782000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7712000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF7552000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7612000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7602000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7582000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF77B2000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7642000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF75C2000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7732000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEB74E000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF75A2000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7722000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7922000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF786A000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7872000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF791A000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF78AA000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7852000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF78A2000 C:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF77D2000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF787A000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF784A000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF792A000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF77EA000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF780A000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7912000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF785A000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7862000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF77DA000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7952000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF795A000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF793A000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7882000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xEB7CA000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xEC862000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7A0A000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7A4A000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xEC6CE000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7962000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7A12000 C:\WINDOWS\System32\Drivers\BrUsbMdm.sys 12288 bytes (Brother Industries Ltd., Brother USB MDM Driver )
0xF7A0E000 C:\WINDOWS\System32\Drivers\BrUsbScn.sys 12288 bytes (Brother Industries Ltd., Brother USB SCN Driver)
0xF6DBA000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF79FE000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF79F2000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xEBF76000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7A02000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7A2A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xEEB4C000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xEEB3C000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7A90000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7AA8000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7AA0000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7A56000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7A6A000 C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xF7A96000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A88000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A52000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A92000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A94000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7AEE000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7AF8000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A54000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C85000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BEF000 C:\WINDOWS\System32\Drivers\Brfilt.sys 4096 bytes (Brother Industries Ltd., Brother Multi Function Filter driver)
0xF7C8A000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7BFE000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7B36000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B1A000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

#4 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #4$ gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:11:50 PM

Posted 10 December 2010 - 08:28 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #5$ gvalcho

Topic Starter

Members
15 posts
OFFLINE

Local time:09:50 PM

Posted 10 December 2010 - 09:00 AM

Hi Gringo, the PC is doing well. It always runs well between invasions. I have Microsoft Essentials active and it stopped a virus the other day, but it did not list the name of the virus. I also run MS Essentials and MalwareBytes scans regularly. They have not found anything since my inital post.

When I ran ComboFix I received the following error message "Freeware implemenation of REG.EXE has encountered a problem and needs to close." The popup wanted to send an error report to MS. I clicked "don't send" but the window continued to pop back up. The window never went away until ComboFix finished.

The ComboFix log is inserted below:

ComboFix 10-12-09.02 - George Valcho 12/10/2010 7:38.12.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.558 [GMT -6:00]
Running from: c:\documents and settings\George Valcho\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.

2010-12-10 13:08 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{93CDAD98-E933-4D89-AC5D-9EAF9BB1977C}\mpengine.dll
2010-12-01 03:30 . 2010-12-01 03:30 -------- d-----w- C:\TDSSKiller_Quarantine
2010-11-30 19:52 . 2010-11-30 19:52 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-10 15:47 . 2010-11-30 12:21 -------- d-----w- C:\bd_logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2010-07-08 03:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-07-08 03:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-10 04:33 . 2010-10-03 21:02 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-19 20:51 . 2010-10-01 19:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 17:23 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-11 22:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-11 22:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 10:50 . 2010-06-12 11:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 08:29 . 2007-07-03 01:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                    .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam   .exe
c:\program files\MSN Messenger\msnmsgr .exe
c:\program files\QuickTime\QTTask                                                      .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((( SnapShot_2010-10-10_19.09.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-07 02:26 . 2010-12-07 02:26 16384 c:\windows\Temp\Perflib_Perfdata_420.dat
+ 2010-12-07 02:26 . 2010-12-07 02:26 16384 c:\windows\Temp\Perflib_Perfdata_174.dat
+ 2004-08-11 22:00 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll
+ 2010-04-15 19:32 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2010-04-15 19:32 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2004-08-11 22:00 . 2010-10-10 12:43 72576 c:\windows\system32\perfc009.dat
+ 2004-08-11 22:00 . 2010-11-08 13:24 72576 c:\windows\system32\perfc009.dat
- 2004-08-11 22:00 . 2009-03-08 09:31 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-11 22:00 . 2010-09-10 05:58 66560 c:\windows\system32\mshtmled.dll
+ 2006-10-27 21:09 . 2010-09-10 05:58 55296 c:\windows\system32\msfeedsbs.dll
- 2006-10-27 21:09 . 2010-06-24 12:21 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-10-11 21:28 . 2010-10-30 00:12 39684 c:\windows\system32\mlfcache.dat
+ 2004-08-11 22:00 . 2010-09-10 05:58 43520 c:\windows\system32\licmgr10.dll
- 2004-08-11 22:00 . 2010-06-24 12:21 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-11 22:00 . 2010-09-10 05:58 25600 c:\windows\system32\jsproxy.dll
- 2009-06-15 12:49 . 2010-06-24 12:22 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-06-15 12:49 . 2010-09-10 05:58 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2010-08-27 05:57 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll
+ 2006-05-10 05:25 . 2010-09-10 05:58 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2006-05-10 05:25 . 2009-03-08 09:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 09:20 . 2010-09-10 05:58 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-09 09:20 . 2010-06-24 12:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2006-10-17 19:05 . 2010-09-10 05:58 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2006-05-10 05:25 . 2010-09-10 05:58 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2006-05-10 05:25 . 2010-06-24 12:21 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-10-16 16:03 . 2010-10-16 16:03 21504 c:\windows\Installer\9b61296.msi
+ 2010-11-13 01:55 . 2010-11-13 01:55 29184 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BE}\IconCD95F6617.exe
- 2010-06-10 08:21 . 2010-06-10 08:21 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
+ 2010-11-11 09:06 . 2010-11-11 09:06 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
+ 2006-05-09 20:18 . 2010-11-11 09:06 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-05-09 20:18 . 2010-10-10 12:42 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-05-09 20:18 . 2010-11-11 09:06 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-05-09 20:18 . 2010-10-10 12:42 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-05-09 20:18 . 2010-11-11 09:06 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-05-09 20:18 . 2010-10-10 12:42 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-05-09 20:18 . 2010-10-10 12:42 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-05-09 20:18 . 2010-11-11 09:06 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2010-11-11 09:06 . 2010-11-11 09:06 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2010-08-12 11:57 . 2010-08-12 11:57 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-10-14 08:04 . 2010-06-24 12:22 12800 c:\windows\ie8updates\KB2360131-IE8\xpshims.dll
+ 2010-10-14 08:04 . 2009-03-08 09:31 66560 c:\windows\ie8updates\KB2360131-IE8\mshtmled.dll
+ 2010-10-14 08:04 . 2010-06-24 12:21 55296 c:\windows\ie8updates\KB2360131-IE8\msfeedsbs.dll
+ 2010-10-14 08:04 . 2009-03-08 09:34 43008 c:\windows\ie8updates\KB2360131-IE8\licmgr10.dll
+ 2010-10-14 08:04 . 2010-06-24 12:21 25600 c:\windows\ie8updates\KB2360131-IE8\jsproxy.dll
+ 2010-10-12 14:26 . 2010-10-12 14:26 11264 c:\windows\assembly\GAC_MSIL\cli_basetypes\1.0.17.0__ce2cb7e279207b9e\cli_basetypes.dll
+ 2010-10-12 14:26 . 2010-10-12 14:26 64000 c:\windows\assembly\GAC_32\cli_cppuhelper\1.0.20.0__ce2cb7e279207b9e\cli_cppuhelper.dll
+ 2010-10-14 08:06 . 2008-04-14 00:12 96768 c:\windows\$NtUninstallKB2345886$\srvsvc.dll
+ 2010-10-14 08:05 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB982132\update\spcustom.dll
+ 2010-10-14 08:05 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB982132\spmsg.dll
+ 2010-10-14 08:03 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB981957\update\spcustom.dll
+ 2010-10-14 08:03 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB981957\spmsg.dll
+ 2010-10-14 08:04 . 2009-05-26 09:01 26488 c:\windows\$hf_mig$\KB979687\update\spcustom.dll
+ 2010-10-14 08:04 . 2009-05-26 09:01 17272 c:\windows\$hf_mig$\KB979687\spmsg.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB2387149\update\spcustom.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB2387149\spmsg.dll
+ 2010-10-14 08:02 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB2360937\update\spcustom.dll
+ 2010-10-14 08:02 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB2360937\spmsg.dll
+ 2010-10-14 08:04 . 2009-05-26 09:01 26488 c:\windows\$hf_mig$\KB2360131-IE8\update\spcustom.dll
+ 2010-10-14 08:04 . 2009-05-26 09:01 17272 c:\windows\$hf_mig$\KB2360131-IE8\spmsg.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 12800 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\xpshims.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 66560 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\mshtmled.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 55296 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\msfeedsbs.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 43520 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\licmgr10.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 25600 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\jsproxy.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB2345886\update\spcustom.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB2345886\spmsg.dll
+ 2010-08-27 06:05 . 2010-08-27 06:05 99840 c:\windows\$hf_mig$\KB2345886\SP3QFE\srvsvc.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 26488 c:\windows\$hf_mig$\KB2279986\update\spcustom.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 17272 c:\windows\$hf_mig$\KB2279986\spmsg.dll
+ 2009-04-16 03:28 . 2010-08-26 12:52 5120 c:\windows\system32\xpsp4res.dll
- 2009-04-16 03:28 . 2010-07-22 05:57 5120 c:\windows\system32\xpsp4res.dll
- 2006-05-09 20:18 . 2010-10-10 12:42 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-05-09 20:18 . 2010-11-11 09:06 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-10-12 14:26 . 2010-10-12 14:26 3072 c:\windows\assembly\GAC_MSIL\policy.1.0.cli_uretypes\6.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_uretypes.dll
+ 2010-10-12 14:26 . 2010-10-12 14:26 3072 c:\windows\assembly\GAC_MSIL\policy.1.0.cli_ure\20.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_ure.dll
+ 2010-10-12 14:27 . 2010-10-12 14:27 3072 c:\windows\assembly\GAC_MSIL\policy.1.0.cli_oootypes\6.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_oootypes.dll
+ 2010-10-12 14:26 . 2010-10-12 14:26 3072 c:\windows\assembly\GAC_MSIL\policy.1.0.cli_basetypes\17.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_basetypes.dll
+ 2010-10-12 14:26 . 2010-10-12 14:26 7680 c:\windows\assembly\GAC_MSIL\cli_ure\1.0.20.0__ce2cb7e279207b9e\cli_ure.dll
+ 2010-10-12 14:27 . 2010-10-12 14:27 3072 c:\windows\assembly\GAC_32\policy.1.0.cli_cppuhelper\20.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_cppuhelper.dll
+ 2010-10-14 08:02 . 2010-07-22 05:57 5120 c:\windows\$NtUninstallKB2360937$\xpsp4res.dll
+ 2010-10-14 08:06 . 2010-08-13 12:53 5120 c:\windows\$NtUninstallKB2345886$\xpsp4res.dll
+ 2010-07-12 12:53 . 2010-07-12 12:53 5120 c:\windows\$hf_mig$\KB979687\SP3QFE\xpsp4res.dll
+ 2010-10-13 20:45 . 2010-08-13 12:53 5120 c:\windows\$hf_mig$\KB2360937\SP3QFE\xpsp4res.dll
+ 2010-08-26 12:52 . 2010-08-26 12:52 5120 c:\windows\$hf_mig$\KB2345886\SP3QFE\xpsp4res.dll
+ 2004-08-11 22:00 . 2010-09-10 05:58 916480 c:\windows\system32\wininet.dll
- 2004-08-11 22:00 . 2010-06-24 12:22 916480 c:\windows\system32\wininet.dll
+ 2004-08-11 22:00 . 2010-08-27 08:02 119808 c:\windows\system32\t2embed.dll
- 2004-08-11 22:00 . 2009-10-15 16:28 119808 c:\windows\system32\t2embed.dll
+ 2004-08-11 22:00 . 2010-08-16 08:45 590848 c:\windows\system32\rpcrt4.dll
- 2004-08-11 22:00 . 2010-07-22 15:49 590848 c:\windows\system32\rpcrt4.dll
- 2004-08-11 22:00 . 2010-10-10 12:43 445370 c:\windows\system32\perfh009.dat
+ 2004-08-11 22:00 . 2010-11-08 13:24 445370 c:\windows\system32\perfh009.dat
+ 2004-08-11 22:00 . 2010-09-10 05:58 206848 c:\windows\system32\occache.dll
- 2004-08-11 22:00 . 2010-06-24 12:22 206848 c:\windows\system32\occache.dll
+ 2004-08-11 22:00 . 2010-09-10 05:58 611840 c:\windows\system32\mstime.dll
- 2004-08-11 22:00 . 2010-06-24 12:22 611840 c:\windows\system32\mstime.dll
+ 2006-10-27 21:09 . 2010-09-10 05:58 602112 c:\windows\system32\msfeeds.dll
+ 2010-11-15 18:14 . 2010-11-15 18:14 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_Plugin.exe
+ 2010-11-05 12:59 . 2010-11-05 12:59 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
+ 2010-11-05 12:59 . 2010-11-05 12:59 311248 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.dll
- 2010-08-12 14:02 . 2010-07-17 10:00 153376 c:\windows\system32\javaws.exe
+ 2010-11-15 18:04 . 2010-09-15 10:50 153376 c:\windows\system32\javaws.exe
- 2010-08-12 14:02 . 2010-07-17 10:00 145184 c:\windows\system32\javaw.exe
+ 2010-11-15 18:04 . 2010-09-15 10:50 145184 c:\windows\system32\javaw.exe
+ 2010-11-15 18:04 . 2010-09-15 10:50 145184 c:\windows\system32\java.exe
- 2010-08-12 14:02 . 2010-07-17 10:00 145184 c:\windows\system32\java.exe
+ 2004-08-11 22:00 . 2010-09-10 05:58 184320 c:\windows\system32\iepeers.dll
- 2004-08-11 22:00 . 2010-06-24 12:21 184320 c:\windows\system32\iepeers.dll
- 2004-08-11 22:00 . 2010-06-24 12:21 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-11 22:00 . 2010-09-10 05:58 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-11 22:00 . 2010-06-23 12:08 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-11 22:00 . 2010-08-26 12:22 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-11 22:06 . 2010-11-04 12:58 241672 c:\windows\system32\FNTCACHE.DAT
+ 2006-05-09 19:53 . 2010-08-26 13:39 357248 c:\windows\system32\drivers\srv.sys
+ 2009-04-16 03:28 . 2010-07-12 12:55 218112 c:\windows\system32\dllcache\wordpad.exe
+ 2006-05-10 05:25 . 2010-09-10 05:58 916480 c:\windows\system32\dllcache\wininet.dll
- 2006-05-10 05:25 . 2010-06-24 12:22 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-06-16 14:36 . 2009-10-15 16:28 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-06-16 14:36 . 2010-08-27 08:02 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2008-10-15 05:32 . 2010-08-26 13:39 357248 c:\windows\system32\dllcache\srv.sys
+ 2009-04-15 14:51 . 2010-08-16 08:45 590848 c:\windows\system32\dllcache\rpcrt4.dll
- 2009-04-15 14:51 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll
- 2006-10-17 19:04 . 2010-06-24 12:22 206848 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 19:04 . 2010-09-10 05:58 206848 c:\windows\system32\dllcache\occache.dll
- 2006-05-10 05:25 . 2010-06-24 12:22 611840 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:25 . 2010-09-10 05:58 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-05-09 09:20 . 2010-09-10 05:58 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2006-10-14 08:13 . 2010-09-18 17:23 974848 c:\windows\system32\dllcache\mfc42u.dll
+ 2010-10-13 20:54 . 2010-09-18 06:53 974848 c:\windows\system32\dllcache\mfc42.dll
+ 2010-10-13 20:54 . 2010-09-18 06:53 953856 c:\windows\system32\dllcache\mfc40u.dll
+ 2010-10-13 20:54 . 2010-09-18 06:53 954368 c:\windows\system32\dllcache\mfc40.dll
+ 2009-06-15 12:49 . 2010-09-10 05:58 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-06-15 12:49 . 2010-06-24 12:21 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2006-05-10 05:25 . 2010-06-24 12:21 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-05-10 05:25 . 2010-09-10 05:58 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-09 09:36 . 2010-09-10 05:58 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-09 09:36 . 2010-06-24 12:21 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2006-10-27 08:44 . 2010-09-10 05:58 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-10-27 08:44 . 2010-06-24 12:21 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-10-27 08:44 . 2010-06-23 12:08 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-10-27 08:44 . 2010-08-26 12:22 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-10-13 20:54 . 2010-08-23 16:12 617472 c:\windows\system32\dllcache\comctl32.dll
+ 2010-04-20 05:30 . 2010-09-01 11:51 285824 c:\windows\system32\dllcache\atmfd.dll
- 2004-08-11 22:00 . 2008-04-14 00:11 617472 c:\windows\system32\comctl32.dll
+ 2004-08-11 22:00 . 2010-08-23 16:12 617472 c:\windows\system32\comctl32.dll
+ 2004-08-11 22:00 . 2010-09-01 11:51 285824 c:\windows\system32\atmfd.dll
+ 2010-11-30 19:52 . 2010-07-07 09:45 807744 c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.exe
+ 2010-11-30 19:52 . 2010-07-07 09:45 581440 c:\windows\system32\%APPDATA%\WhiteSmokeSetup\ISSetup.dll
+ 2010-10-14 08:05 . 2010-10-14 08:05 264192 c:\windows\Installer\4b871c9.msi
+ 2010-11-13 01:55 . 2010-11-13 01:55 632320 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BE}\IconCD95F66110.exe
- 2006-05-09 20:18 . 2010-10-10 12:42 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-05-09 20:18 . 2010-11-11 09:06 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-05-09 20:18 . 2010-10-10 12:42 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-05-09 20:18 . 2010-11-11 09:06 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-05-09 20:18 . 2010-11-11 09:06 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-05-09 20:18 . 2010-10-10 12:42 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-05-09 20:18 . 2010-10-10 12:42 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-05-09 20:18 . 2010-11-11 09:06 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2010-09-16 23:45 . 2010-09-16 23:45 380928 c:\windows\Installer\{350FB27C-CF62-4EF3-AF9D-70FF313FE221}\iTunesIco.exe
+ 2010-09-16 23:45 . 2010-10-27 01:16 380928 c:\windows\Installer\{350FB27C-CF62-4EF3-AF9D-70FF313FE221}\iTunesIco.exe
+ 2010-10-14 08:04 . 2010-06-24 12:22 916480 c:\windows\ie8updates\KB2360131-IE8\wininet.dll
+ 2010-10-14 08:04 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2360131-IE8\spuninst\updspapi.dll
+ 2010-10-14 08:04 . 2009-05-26 09:01 231288 c:\windows\ie8updates\KB2360131-IE8\spuninst\spuninst.exe
+ 2010-10-14 08:04 . 2010-06-24 12:22 206848 c:\windows\ie8updates\KB2360131-IE8\occache.dll
+ 2010-10-14 08:04 . 2010-06-24 12:22 611840 c:\windows\ie8updates\KB2360131-IE8\mstime.dll
+ 2010-10-14 08:04 . 2010-06-24 12:21 599040 c:\windows\ie8updates\KB2360131-IE8\msfeeds.dll
+ 2010-10-14 08:04 . 2010-06-24 12:21 247808 c:\windows\ie8updates\KB2360131-IE8\ieproxy.dll
+ 2010-10-14 08:04 . 2010-06-24 12:21 184320 c:\windows\ie8updates\KB2360131-IE8\iepeers.dll
+ 2010-10-14 08:04 . 2010-06-24 12:21 743424 c:\windows\ie8updates\KB2360131-IE8\iedvtool.dll
+ 2010-10-14 08:04 . 2010-06-24 12:21 387584 c:\windows\ie8updates\KB2360131-IE8\iedkcs32.dll
+ 2010-10-14 08:04 . 2010-06-23 12:08 173056 c:\windows\ie8updates\KB2360131-IE8\ie4uinit.exe
+ 2010-10-12 14:26 . 2010-10-12 14:26 118784 c:\windows\assembly\GAC_MSIL\cli_uretypes\1.0.6.0__ce2cb7e279207b9e\cli_uretypes.dll
+ 2010-10-12 14:26 . 2010-10-12 14:26 856064 c:\windows\assembly\GAC_MSIL\cli_oootypes\1.0.6.0__ce2cb7e279207b9e\cli_oootypes.dll
+ 2010-10-14 08:05 . 2009-10-15 16:28 119808 c:\windows\$NtUninstallKB982132$\t2embed.dll
+ 2010-10-14 08:05 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB982132$\spuninst\updspapi.dll
+ 2010-10-14 08:05 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB982132$\spuninst\spuninst.exe
+ 2010-10-14 08:03 . 2010-02-22 14:23 382840 c:\windows\$NtUninstallKB981957$\spuninst\updspapi.dll
+ 2010-10-14 08:03 . 2010-02-22 14:23 231288 c:\windows\$NtUninstallKB981957$\spuninst\spuninst.exe
+ 2010-10-14 08:04 . 2008-04-21 12:08 215552 c:\windows\$NtUninstallKB979687$\wordpad.exe
+ 2010-10-14 08:04 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB979687$\spuninst\updspapi.dll
+ 2010-10-14 08:04 . 2009-05-26 09:01 231288 c:\windows\$NtUninstallKB979687$\spuninst\spuninst.exe
+ 2010-10-14 08:06 . 2010-02-22 14:23 382840 c:\windows\$NtUninstallKB2387149$\spuninst\updspapi.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 231288 c:\windows\$NtUninstallKB2387149$\spuninst\spuninst.exe
+ 2010-10-14 08:06 . 2006-10-14 08:13 981760 c:\windows\$NtUninstallKB2387149$\mfc42u.dll
+ 2010-10-14 08:06 . 2008-04-14 00:11 927504 c:\windows\$NtUninstallKB2387149$\mfc40u.dll
+ 2010-10-14 08:06 . 2004-08-04 10:00 924432 c:\windows\$NtUninstallKB2387149$\mfc40.dll
+ 2010-10-14 08:05 . 2007-07-28 04:11 382840 c:\windows\$NtUninstallKB2378111_WM9$\spuninst\updspapi.dll
+ 2010-10-14 08:05 . 2007-07-28 04:11 231288 c:\windows\$NtUninstallKB2378111_WM9$\spuninst\spuninst.exe
+ 2010-10-14 08:02 . 2010-02-22 14:23 382840 c:\windows\$NtUninstallKB2360937$\spuninst\updspapi.dll
+ 2010-10-14 08:02 . 2010-02-22 14:23 231288 c:\windows\$NtUninstallKB2360937$\spuninst\spuninst.exe
+ 2010-10-14 08:02 . 2010-07-22 15:49 590848 c:\windows\$NtUninstallKB2360937$\rpcrt4.dll
+ 2010-10-14 08:06 . 2010-06-21 15:27 354304 c:\windows\$NtUninstallKB2345886$\srv.sys
+ 2010-10-14 08:06 . 2010-02-22 14:23 382840 c:\windows\$NtUninstallKB2345886$\spuninst\updspapi.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 231288 c:\windows\$NtUninstallKB2345886$\spuninst\spuninst.exe
+ 2010-10-14 08:06 . 2009-05-26 09:01 382840 c:\windows\$NtUninstallKB2296011$\spuninst\updspapi.dll
+ 2010-10-14 08:06 . 2009-05-26 09:01 231288 c:\windows\$NtUninstallKB2296011$\spuninst\spuninst.exe
+ 2010-10-14 08:06 . 2008-04-14 00:11 617472 c:\windows\$NtUninstallKB2296011$\comctl32.dll
+ 2010-10-14 08:06 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2279986$\spuninst\updspapi.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 231288 c:\windows\$NtUninstallKB2279986$\spuninst\spuninst.exe
+ 2010-10-14 08:06 . 2010-04-20 05:30 285696 c:\windows\$NtUninstallKB2279986$\atmfd.dll
+ 2010-10-14 08:05 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB982132\update\updspapi.dll
+ 2010-10-14 08:05 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB982132\update\update.exe
+ 2010-10-14 08:05 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB982132\spuninst.exe
+ 2010-08-27 08:01 . 2010-08-27 08:01 119808 c:\windows\$hf_mig$\KB982132\SP3QFE\t2embed.dll
+ 2010-10-14 08:03 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB981957\update\updspapi.dll
+ 2010-10-14 08:03 . 2010-02-22 14:23 755576 c:\windows\$hf_mig$\KB981957\update\update.exe
+ 2010-10-14 08:03 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB981957\spuninst.exe
+ 2010-10-14 08:04 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB979687\update\updspapi.dll
+ 2010-10-14 08:04 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB979687\update\update.exe
+ 2010-10-14 08:04 . 2009-05-26 09:01 231288 c:\windows\$hf_mig$\KB979687\spuninst.exe
+ 2010-07-12 13:02 . 2010-07-12 13:02 218112 c:\windows\$hf_mig$\KB979687\SP3QFE\wordpad.exe
+ 2010-10-14 08:06 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB2387149\update\updspapi.dll
+ 2010-10-14 08:06 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2387149\update\update.exe
+ 2010-10-14 08:06 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB2387149\spuninst.exe
+ 2010-10-13 20:54 . 2010-09-18 07:18 974848 c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc42u.dll
+ 2010-10-13 20:54 . 2010-09-18 07:18 974848 c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc42.dll
+ 2010-10-13 20:54 . 2010-09-18 07:18 953856 c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc40u.dll
+ 2010-10-13 20:54 . 2010-09-18 07:18 954368 c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc40.dll
+ 2010-10-14 08:02 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB2360937\update\updspapi.dll
+ 2010-10-14 08:02 . 2010-02-22 14:23 755576 c:\windows\$hf_mig$\KB2360937\update\update.exe
+ 2010-10-14 08:02 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB2360937\spuninst.exe
+ 2010-10-13 20:45 . 2010-08-16 08:43 590848 c:\windows\$hf_mig$\KB2360937\SP3QFE\rpcrt4.dll
+ 2010-10-14 08:04 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2360131-IE8\update\updspapi.dll
+ 2010-10-14 08:04 . 2009-05-26 09:01 755576 c:\windows\$hf_mig$\KB2360131-IE8\update\update.exe
+ 2010-10-14 08:04 . 2009-05-26 09:01 231288 c:\windows\$hf_mig$\KB2360131-IE8\spuninst.exe
+ 2010-10-13 20:48 . 2010-09-10 05:57 919552 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\wininet.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 206848 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\occache.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 611840 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\mstime.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 602112 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\msfeeds.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 247808 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\ieproxy.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 184320 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\iepeers.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 743424 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\iedvtool.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 387584 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\iedkcs32.dll
+ 2010-10-13 20:48 . 2010-09-08 15:48 173056 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\ie4uinit.exe
+ 2010-10-14 08:06 . 2010-02-22 14:23 382840 c:\windows\$hf_mig$\KB2345886\update\updspapi.dll
+ 2010-10-14 08:06 . 2010-02-22 14:23 755576 c:\windows\$hf_mig$\KB2345886\update\update.exe
+ 2010-10-14 08:06 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB2345886\spuninst.exe
+ 2010-08-26 13:37 . 2010-08-26 13:37 357248 c:\windows\$hf_mig$\KB2345886\SP3QFE\srv.sys
+ 2010-10-14 08:06 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2279986\update\updspapi.dll
+ 2010-10-14 08:06 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2279986\update\update.exe
+ 2010-10-14 08:06 . 2010-02-22 14:23 231288 c:\windows\$hf_mig$\KB2279986\spuninst.exe
+ 2010-09-01 11:48 . 2010-09-01 11:48 285824 c:\windows\$hf_mig$\KB2279986\SP3QFE\atmfd.dll
+ 2010-10-13 20:54 . 2010-08-23 16:12 1054208 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
+ 2004-08-11 22:00 . 2010-08-31 13:42 1852800 c:\windows\system32\win32k.sys
+ 2004-08-11 22:00 . 2010-09-10 05:58 1210880 c:\windows\system32\urlmon.dll
+ 2004-08-11 22:00 . 2010-07-16 12:05 1288192 c:\windows\system32\ole32.dll
+ 2004-08-11 22:00 . 2010-09-10 05:58 5957120 c:\windows\system32\mshtml.dll
+ 2010-01-27 01:07 . 2010-11-15 18:14 5971408 c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2006-10-17 18:57 . 2010-06-24 12:21 1986560 c:\windows\system32\iertutil.dll
+ 2006-10-17 18:57 . 2010-09-10 05:58 1986560 c:\windows\system32\iertutil.dll
+ 2008-10-15 04:59 . 2010-08-31 13:42 1852800 c:\windows\system32\dllcache\win32k.sys
+ 2006-05-10 05:25 . 2010-09-10 05:58 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2010-07-16 12:05 . 2010-07-16 12:05 1288192 c:\windows\system32\dllcache\ole32.dll
+ 2006-05-19 15:06 . 2010-09-10 05:58 5957120 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 09:20 . 2010-09-10 05:58 1986560 c:\windows\system32\dllcache\iertutil.dll
- 2007-05-09 09:20 . 2010-06-24 12:21 1986560 c:\windows\system32\dllcache\iertutil.dll
+ 2010-10-12 14:28 . 2010-10-12 14:28 3091456 c:\windows\Installer\aaf6a8.msi
+ 2010-10-22 19:25 . 2010-10-22 19:25 5521408 c:\windows\Installer\96037ce.msp
+ 2010-08-13 22:59 . 2010-08-13 22:59 8182272 c:\windows\Installer\4b871b4.msp
+ 2010-08-13 23:02 . 2010-08-13 23:02 2545664 c:\windows\Installer\4b871ac.msp
+ 2010-08-23 22:09 . 2010-08-23 22:09 7673344 c:\windows\Installer\4b871a4.msp
+ 2010-10-04 21:32 . 2010-10-04 21:32 5517824 c:\windows\Installer\4b87193.msp
+ 2010-08-24 14:49 . 2010-08-24 14:49 6825472 c:\windows\Installer\4b87182.msp
+ 2010-09-17 12:04 . 2010-09-17 12:04 9401856 c:\windows\Installer\361133a.msp
+ 2010-10-08 00:43 . 2010-10-08 00:43 1980416 c:\windows\Installer\3611321.msp
+ 2010-11-13 01:55 . 2010-11-13 01:55 1536512 c:\windows\Installer\2f312b7.msi
+ 2010-10-14 08:04 . 2010-06-24 12:22 1210368 c:\windows\ie8updates\KB2360131-IE8\urlmon.dll
+ 2010-10-14 08:04 . 2010-06-24 12:22 5951488 c:\windows\ie8updates\KB2360131-IE8\mshtml.dll
+ 2010-10-14 08:04 . 2010-06-24 12:21 1986560 c:\windows\ie8updates\KB2360131-IE8\iertutil.dll
+ 2010-10-14 08:03 . 2010-06-23 13:44 1851904 c:\windows\$NtUninstallKB981957$\win32k.sys
+ 2010-10-14 08:04 . 2008-04-14 00:12 1287168 c:\windows\$NtUninstallKB979687$\ole32.dll
+ 2010-10-14 08:06 . 2008-04-14 00:11 1028096 c:\windows\$NtUninstallKB2387149$\mfc42.dll
+ 2010-08-31 13:38 . 2010-08-31 13:38 1861888 c:\windows\$hf_mig$\KB981957\SP3QFE\win32k.sys
+ 2010-07-16 12:04 . 2010-07-16 12:04 1289216 c:\windows\$hf_mig$\KB979687\SP3QFE\ole32.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 1211904 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\urlmon.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 5958656 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\mshtml.dll
+ 2010-10-13 20:48 . 2010-09-10 05:57 1987072 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\iertutil.dll
- 2004-08-11 22:00 . 2009-07-14 04:43 10841088 c:\windows\system32\wmp.dll
+ 2004-08-11 22:00 . 2010-08-26 04:36 10841088 c:\windows\system32\wmp.dll
+ 2006-05-14 20:58 . 2010-11-11 09:00 35758536 c:\windows\system32\MRT.exe
+ 2006-10-27 21:09 . 2010-09-10 05:58 11080192 c:\windows\system32\ieframe.dll
+ 2004-08-11 22:00 . 2010-08-26 04:36 10841088 c:\windows\system32\dllcache\wmp.dll
- 2004-08-11 22:00 . 2009-07-14 04:43 10841088 c:\windows\system32\dllcache\wmp.dll
+ 2007-05-09 09:20 . 2010-09-10 05:58 11080192 c:\windows\system32\dllcache\ieframe.dll
+ 2010-10-14 22:57 . 2010-10-14 22:57 11189248 c:\windows\Installer\3611332.msp
+ 2010-10-14 08:04 . 2010-06-24 22:51 11077120 c:\windows\ie8updates\KB2360131-IE8\ieframe.dll
+ 2010-10-14 08:05 . 2009-07-14 04:43 10841088 c:\windows\$NtUninstallKB2378111_WM9$\wmp.dll
+ 2010-09-10 16:27 . 2010-09-10 16:27 11082240 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [N/A]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-09-21 913552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SE11"="c:\program files\SecEss\SE11.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-9 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe -startup [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 08:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
c:\program files\Common Files\InstallShield\UpdateService\issch.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
c:\program files\MSN Messenger\MsnMsgr.Exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-09-15 09:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SE11]
c:\program files\SecEss\SE11.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\George Valcho\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr .exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [5/12/2006 07:39 AM 2944]
R3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [5/12/2006 07:39 AM 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [5/12/2006 07:39 AM 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/24/2000 09:18 AM 10908]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [3/25/2009 07:39 PM 28672]
S2 gupdate1c92027b42b3074;Google Update Service (gupdate1c92027b42b3074);c:\program files\Google\Update\GoogleUpdate.exe [9/26/2008 04:32 PM 133104]
S3 SNPP202;PC Camera (6028 VGA);c:\windows\system32\drivers\snpp202.sys [7/1/2010 01:53 PM 236544]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY
*Deregistered* - klmd25
*Deregistered* - Normandy
.
Contents of the 'Scheduled Tasks' folder

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 22:31]

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 22:31]

2010-12-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

2010-10-02 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-10-02 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-10-02 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-08-24 22:47]

2010-10-02 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-08-24 22:47]

2010-12-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-12-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-12-09 c:\windows\Tasks\User_Feed_Synchronization-{AF5A2525-BD10-4059-9704-3F2F42DA909C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: fastestdeploy.com
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
Trusted Zone: fastestdeploy.com
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\George Valcho\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\George Valcho\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwbe.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Starfield Zoom: zoomext@starfield - c:\program files\Mozilla Firefox\extensions\zoomext@starfield
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Extension: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>fbdislike@doweb.fr: fbdislike@doweb.fr - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\fbdislike@doweb.fr
FF - Extension: Copy Plain Text: {723AAF16-AF1F-4404-A5D7-0BFE39766605} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{723AAF16-AF1F-4404-A5D7-0BFE39766605}
FF - Extension: Auto Copy: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - Extension: Personas: personas@christopher.beard - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\personas@christopher.beard
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Firebug: firebug@software.joehewitt.com - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\firebug@software.joehewitt.com

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 07:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,04,35,f9,e1,05,a6,3a,4e,99,b0,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,04,35,f9,e1,05,a6,3a,4e,99,b0,e5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-10 07:52:45
ComboFix-quarantined-files.txt 2010-12-10 13:52
ComboFix2.txt 2010-10-10 19:13
ComboFix3.txt 2010-10-09 18:36
ComboFix4.txt 2010-10-05 11:33
ComboFix5.txt 2010-11-04 13:09

Pre-Run: 68,286,525,440 bytes free
Post-Run: 68,454,604,800 bytes free

- - End Of File - - BF4A04AB9605AD675A2D06DDAD7494C9

#6 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #6$ gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:11:50 PM

Posted 10 December 2010 - 09:27 AM

I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

DDS::
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5577

RenV::
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                    .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\DellSupport\DSAgnt .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam   .exe
c:\program files\MSN Messenger\msnmsgr .exe
c:\program files\QuickTime\QTTask                                                      .exe
c:\windows\system32\rundll32 .exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

Edited by gringo_pr, 10 December 2010 - 09:28 AM.

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #7$ gvalcho

Topic Starter

Members
15 posts
OFFLINE

Local time:09:50 PM

Posted 10 December 2010 - 09:56 AM

Hello again Gringo, this time when I ran ComboFix I had two error messages, "grep.exe has encountered a problem and needs to close" and "grep.cfxxe has encountered a problem and needs to close." In both cases I did not send the error report and the popup closed.

Here is the latest ComboFix log:

ComboFix 10-12-09.02 - George Valcho 12/10/2010 8:39.13.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.534 [GMT -6:00]
Running from: c:\documents and settings\George Valcho\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\George Valcho\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.

2010-12-10 14:00 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{03036FB7-807B-48F5-8E2D-6F7167C0DCE2}\mpengine.dll
2010-12-01 03:30 . 2010-12-01 03:30 -------- d-----w- C:\TDSSKiller_Quarantine
2010-11-30 19:52 . 2010-11-30 19:52 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-10 15:47 . 2010-11-30 12:21 -------- d-----w- C:\bd_logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 23:42 . 2010-07-08 03:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 23:42 . 2010-07-08 03:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-10 04:33 . 2010-10-03 21:02 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-19 20:51 . 2010-10-01 19:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 17:23 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-11 22:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-11 22:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 10:50 . 2010-06-12 11:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 08:29 . 2007-07-03 01:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-09-21 913552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-9 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe -startup [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 08:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 17:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-09-15 09:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\George Valcho\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [5/12/2006 07:39 AM 2944]
R3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [5/12/2006 07:39 AM 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [5/12/2006 07:39 AM 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/24/2000 09:18 AM 10908]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [3/25/2009 07:39 PM 28672]
S2 gupdate1c92027b42b3074;Google Update Service (gupdate1c92027b42b3074);c:\program files\Google\Update\GoogleUpdate.exe [9/26/2008 04:32 PM 133104]
S3 SNPP202;PC Camera (6028 VGA);c:\windows\system32\drivers\snpp202.sys [7/1/2010 01:53 PM 236544]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY
*Deregistered* - klmd25
*Deregistered* - Normandy
.
Contents of the 'Scheduled Tasks' folder

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 22:31]

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 22:31]

2010-12-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

2010-10-02 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-10-02 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-10-02 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-08-24 22:47]

2010-10-02 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-08-24 22:47]

2010-12-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-12-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-12-10 c:\windows\Tasks\User_Feed_Synchronization-{AF5A2525-BD10-4059-9704-3F2F42DA909C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: fastestdeploy.com
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
Trusted Zone: fastestdeploy.com
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Starfield Zoom: zoomext@starfield - c:\program files\Mozilla Firefox\extensions\zoomext@starfield
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Extension: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>fbdislike@doweb.fr: fbdislike@doweb.fr - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\fbdislike@doweb.fr
FF - Extension: Copy Plain Text: {723AAF16-AF1F-4404-A5D7-0BFE39766605} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{723AAF16-AF1F-4404-A5D7-0BFE39766605}
FF - Extension: Auto Copy: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - Extension: Personas: personas@christopher.beard - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\personas@christopher.beard
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Firebug: firebug@software.joehewitt.com - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\firebug@software.joehewitt.com

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
HKU-Default-Run-SE11 - c:\program files\SecEss\SE11.exe
MSConfigStartUp-SE11 - c:\program files\SecEss\SE11.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,04,35,f9,e1,05,a6,3a,4e,99,b0,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,04,35,f9,e1,05,a6,3a,4e,99,b0,e5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\dfshim.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-10 08:52:01
ComboFix-quarantined-files.txt 2010-12-10 14:51
ComboFix2.txt 2010-12-10 13:52
ComboFix3.txt 2010-10-10 19:13
ComboFix4.txt 2010-10-09 18:36
ComboFix5.txt 2010-12-10 14:37

Pre-Run: 68,443,193,344 bytes free
Post-Run: 68,435,173,376 bytes free

- - End Of File - - E81ADEF9CBF087BB003BE3619A3910DF

#8 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #8$ gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:11:50 PM

Posted 10 December 2010 - 10:11 AM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 7.0.9
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
MalwareRemovalBot
Viewpoint Media Player
Whitesmoke Translator
WildTangent Web Driver

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
An update should begin;
follow the prompts

Clear your Java Cache

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  Applications and Applets
  Trace and Log Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM
Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #9$ gvalcho

Topic Starter

Members
15 posts
OFFLINE

Local time:09:50 PM

Posted 10 December 2010 - 10:55 AM

Hi Gringo, I ran into a couple of issues.

First, Java will not update. The console indicates that I already have the latest version.

Second, MBAM will not execute. I get the following error messages:

MBAM_ERROR_EXPANDING_VARIABLES (0, 453)
MBAM_ERROR_MISSING_FILE (3, 0, mbamswissarmy.sys)

I thought I should report these to you before proceeding.

Thank you, George

#10 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #10$ gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:11:50 PM

Posted 10 December 2010 - 11:29 AM

Hello

ok lets try this to grt the MBAM working

Uninstall Malwarebytes

Click on Start and select Control Panel
Open Add/Remove Programs
Uninstall Malwarebytes' Anti-Malware
Restart your computer very important
Download and run mbam-clean.exe from here
It will ask to restart your computer, please allow it to do so very important
After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #11$ gvalcho

Topic Starter

Members
15 posts
OFFLINE

Local time:09:50 PM

Posted 10 December 2010 - 01:45 PM

OK Gringo, I got MalwareBytes to run. I also ran HiJackThis. Before I add the logs I have two errors to report:

1 - After unistalling MalwareBytes and reinstalling, I rebooted. I got this message: "One of the files containing the systems' registry data had to be recovered by use of a log or alternate copy. The recovery was successful."

2 - Hijack this had an error: "unexpected at procedure modMAIN_CHECKOTHER1ITEM() #62 input past end of file."

Here's the MalwareBytes Log:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5289

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/10/2010 12:28:52 PM
mbam-log-2010-12-10 (12-28-52).txt

Scan type: Quick scan
Objects scanned: 165216
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here's the HiJack log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:39:45 PM, on 12/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.fastestdeploy.com
O15 - Trusted Zone: http://*.fastestdeploy.com (HKLM)
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - http://gvsportsphotography.exposuremanager.com/uploader/ImageUploader5.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - http://gvsportsphotography.exposuremanager.com/uploader/ImageUploader4.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - http://gvsportsphotography.exposuremanager.com/ImageUploader3.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate1c92027b42b3074) (gupdate1c92027b42b3074) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 10249 bytes

#12 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #12$ gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:11:50 PM

Posted 10 December 2010 - 02:14 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
- O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
  O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
  O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brakets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the activex control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #13$ gvalcho

Topic Starter

Members
15 posts
OFFLINE

Local time:09:50 PM

Posted 10 December 2010 - 06:52 PM

Gringo, here is the log from ESET. Threats were found!

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=3786d2961cb08842b54110232d2748df
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-10 11:48:31
# local_time=2010-12-10 05:48:31 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 33447272 33447272 0 0
# compatibility_mode=5891 16776869 100 100 0 21522985 0 0
# compatibility_mode=8192 67108863 100 0 2842960 2842960 0 0
# scanned=179370
# found=4
# cleaned=0
# scan_time=9873
C:\Documents and Settings\George Valcho\My Documents\Downloads\SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\George Valcho\My Documents\Downloads\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\George Valcho\My Documents\Downloads\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I

#14 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #14$ gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:11:50 PM

Posted 10 December 2010 - 07:27 PM

Greetings

There are somethings in the online scan I want to remove so run this scrript for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\Documents and Settings\George Valcho\My Documents\Downloads\SmitfraudFix.exe 

Folder::
C:\Documents and Settings\George Valcho\My Documents\Downloads\SmitfraudFix

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #15$ gvalcho

Topic Starter

Members
15 posts
OFFLINE

Local time:09:50 PM

Posted 11 December 2010 - 12:04 AM

Hey Gringo, thanks for working this all day long! I apprecaite your help!!!

The latest ComboFix log is inserted below.

I noticed that this directory is still present: c:\windows\system32\%APPDATA% This is where the Whitesmoke program was located. Can I just delete this directory after we've finished?

Thank you! George

ComboFix 10-12-09.04 - George Valcho 12/10/2010 22:40:19.14.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.465 [GMT -6:00]
Running from: c:\documents and settings\George Valcho\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\George Valcho\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\404Fix.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\Agent.OMZ.Fix.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\beep_2K_original.sys
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\beep_XP_original.sys
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\dumphive.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\exit.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\GenericRenosFix.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\HostsChk.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\IEDFix.C.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\IEDFix.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\o4Patch.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\Policies.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\Process.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\ProxyDisable.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\Reboot.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\restart.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\SmitfraudFix.cmd
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\SmiUpdate.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\SrchSTS.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\swreg.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\swsc.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\swxcacls.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\UIFix.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\unzip.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\VACFix.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\VCCLSID.exe
c:\documents and settings\George Valcho\My Documents\Downloads\SmitfraudFix\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.

2010-12-10 18:50 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6FA6303C-6C0D-4190-B373-2D535B6AC1CB}\mpengine.dll
2010-12-10 18:36 . 2010-12-10 18:36 388096 ----a-r- c:\documents and settings\George Valcho\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-10 18:36 . 2010-12-10 18:36 -------- d-----w- c:\program files\Trend Micro
2010-12-10 18:18 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-10 18:18 . 2010-12-10 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-10 18:18 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 03:30 . 2010-12-01 03:30 -------- d-----w- C:\TDSSKiller_Quarantine
2010-11-30 19:52 . 2010-11-30 19:52 -------- d-----w- c:\windows\system32\%APPDATA%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-10 04:33 . 2010-10-03 21:02 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-19 20:51 . 2010-10-01 19:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 17:23 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-11 22:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-11 22:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 10:50 . 2010-06-12 11:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 08:29 . 2007-07-03 01:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

((((((((((((((((((((((((((((( SnapShot_2010-12-10_13.49.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-10 18:20 . 2010-12-10 18:20 16384 c:\windows\Temp\Perflib_Perfdata_3c0.dat
+ 2010-12-10 18:20 . 2010-12-10 18:20 16384 c:\windows\Temp\Perflib_Perfdata_138.dat
+ 2004-08-11 22:06 . 2010-12-10 15:25 245360 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-10 18:36 . 2010-12-10 18:36 1094656 c:\windows\Installer\ef3f4.msi
+ 2010-12-10 15:38 . 2010-12-10 15:38 2283008 c:\windows\Installer\ad47a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2010-09-21 01:25 731280 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-09-21 913552]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-9 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe -startup [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 08:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 17:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-09-15 09:34 1094224 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\George Valcho\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [5/12/2006 07:39 AM 2944]
R3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [5/12/2006 07:39 AM 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [5/12/2006 07:39 AM 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2/24/2000 09:18 AM 10908]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [3/25/2009 07:39 PM 28672]
S2 gupdate1c92027b42b3074;Google Update Service (gupdate1c92027b42b3074);c:\program files\Google\Update\GoogleUpdate.exe [9/26/2008 04:32 PM 133104]
S3 SNPP202;PC Camera (6028 VGA);c:\windows\system32\drivers\snpp202.sys [7/1/2010 01:53 PM 236544]
.
Contents of the 'Scheduled Tasks' folder

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 22:31]

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 22:31]

2010-10-02 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-10-02 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-10-02 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-08-24 22:47]

2010-10-02 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-08-24 22:47]

2010-12-10 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-12-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-12-10 c:\windows\Tasks\User_Feed_Synchronization-{AF5A2525-BD10-4059-9704-3F2F42DA909C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.drudgereport.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: fastestdeploy.com
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
Trusted Zone: fastestdeploy.com
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\George Valcho\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\George Valcho\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwbe.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Starfield Zoom: zoomext@starfield - c:\program files\Mozilla Firefox\extensions\zoomext@starfield
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
FF - Extension: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>fbdislike@doweb.fr: fbdislike@doweb.fr - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\fbdislike@doweb.fr
FF - Extension: Copy Plain Text: {723AAF16-AF1F-4404-A5D7-0BFE39766605} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{723AAF16-AF1F-4404-A5D7-0BFE39766605}
FF - Extension: Auto Copy: {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}
FF - Extension: Personas: personas@christopher.beard - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\personas@christopher.beard
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Firebug: firebug@software.joehewitt.com - c:\documents and settings\George Valcho\Application Data\Mozilla\Firefox\Profiles\bpuh3etg.default\extensions\firebug@software.joehewitt.com

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 22:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,04,35,f9,e1,05,a6,3a,4e,99,b0,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,04,35,f9,e1,05,a6,3a,4e,99,b0,e5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-10 22:54:22
ComboFix-quarantined-files.txt 2010-12-11 04:54
ComboFix2.txt 2010-12-10 14:52
ComboFix3.txt 2010-12-10 13:52
ComboFix4.txt 2010-10-10 19:13
ComboFix5.txt 2010-12-11 04:36

Pre-Run: 68,505,825,280 bytes free
Post-Run: 68,505,833,472 bytes free

- - End Of File - - 3E648EDE337ABAAF2A130AB9E35C6191

Back to Virus, Trojan, Spyware, and Malware Removal Logs

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks

#1 gvalcho

Attached Files

BC AdBot (Login to Remove)

#2 gringo_pr

#3 gvalcho

#4 gringo_pr

#5 gvalcho

#6 gringo_pr

#7 gvalcho

#8 gringo_pr

#9 gvalcho

#10 gringo_pr

#11 gvalcho

#12 gringo_pr

#13 gvalcho

#14 gringo_pr

#15 gvalcho

0 user(s) are reading this topic

Sign In

#1 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #1$ gvalcho

#2 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #2$ gringo_pr

#3 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #3$ gvalcho

#4 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #4$ gringo_pr

#5 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #5$ gvalcho

#6 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #6$ gringo_pr

#7 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #7$ gvalcho

#8 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #8$ gringo_pr

#9 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #9$ gvalcho

#10 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #10$ gringo_pr

#11 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #11$ gvalcho

#12 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #12$ gringo_pr

#13 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #13$ gvalcho

#14 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #14$ gringo_pr

#15 $Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) returns every two weeks: post #15$ gvalcho