Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable AntiVirus Pro 2010 infection - cf


  • This topic is locked This topic is locked
22 replies to this topic

#1 circusfrog

circusfrog

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK.
  • Local time:01:12 AM

Posted 19 December 2010 - 10:34 AM

Hello,

My daughter had an Antivirus Pro 2010 popup occur on the family desktop yesterday. I closed the popup but later noticed the McAfee OAS icon on the toolbar indicated it was disabled. I was unable to restart McAfee OAS and also found that I could not start Task Manager.

I have disconnected the infected PC from the internet and am contacting you via a clean laptop. I have attached the reports produced by DDS.scr. I can't produce a GMER report as I get a BSOD when I run the exe.

Hope you can help.

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:12 PM

Posted 29 December 2010 - 01:51 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 circusfrog

circusfrog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK.
  • Local time:01:12 AM

Posted 29 December 2010 - 09:42 PM

Hi, thanks for your reply. I have moved things on a little since my original post.
I ran a MBAM full scan which cleaned/deleted the reported malware such that it now reports no malware found.
My main concern is now the MBR and redirects.
I am still unable to run GMER as it causes a reboot so I cannot post a GMER log.
Below is a DDS log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Howard at 14:10:08.54 on 29/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1491 [GMT 0:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *Disabled*

============== Running Processes ===============

E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
svchost.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\WINDOWS\system32\bgsvcgen.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
E:\FileTransfer\wrapper.exe
E:\WINDOWS\system32\FsUsbExService.Exe
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
E:\Program Files\McAfee\Common Framework\FrameworkService.exe
E:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
E:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
E:\WINDOWS\system32\java.exe
E:\WINDOWS\System32\svchost.exe -k imgsvc
E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
E:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
E:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
E:\Program Files\CyberLink\PowerCinema\PCMService.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\McAfee\Common Framework\UdaterUI.exe
E:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\McAfee\Common Framework\McTray.exe
E:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\explorer.exe
E:\Documents and Settings\Howard\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://uk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://search.alot.com/sidebar?pr=asst&client_id=DE43392001C9F276002D3B29&install_time=21-06-2009:14:47&src_id=11096&camp_id=63&tb_version=2.4.4.412&url=http%3A%2F%2Fhome%2Ealot%2Ecom%2F%3Fclient%5Fid%3DDE43392001C9F276002D3B29%26install%5Ftime%3D21%2D06%2D2009%3A14%3A47%26src%5Fid%3D11096%26camp%5Fid%3D63%26tb%5Fversion%3D2%2E4%2E4%2E412
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - e:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - e:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - e:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - e:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {8020143D-5926-4394-A04D-DD0B649DA121} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] e:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "e:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Google Update] "e:\documents and settings\howard\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IAAnotif] e:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [PCMService] "e:\program files\cyberlink\powercinema\PCMService.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [McAfeeUpdaterUI] "e:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [McAfee Host Intrusion Prevention Tray] "e:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [NPSStartup]
mRun: [CanonMyPrinter] e:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] e:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] e:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [nwiz] e:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "e:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - e:\quickenw\BILLMIND.EXE
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - e:\program files\microsoft office\office10\OSA.EXE
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - e:\program files\common files\panasonic\photofunstudio autostart\AutoStartupService.exe
IE: E&xport to Microsoft Excel - e:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - e:\program files\java\jre1.6.0_02\bin\ssv.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.secure-plus-payments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;e:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);e:\windows\system32\drivers\sfdrv01a.sys [2006-7-5 63352]
R1 mfehidk;McAfee Inc. mfehidk;e:\windows\system32\drivers\mfehidk.sys [2009-5-8 201320]
R1 mferkdk;VSCore mferkdk;e:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;e:\program files\mcafee\host intrusion prevention\FireSvc.exe [2008-3-26 1447232]
R2 FileTransfer;AS2 Connector File Transfer;e:\filetransfer\wrapper.exe -s e:\filetransfer\service\wrapper.conf --> e:\filetransfer\wrapper.exe -s e:\filetransfer\service\wrapper.conf [?]
R2 FsUsbExService;FsUsbExService;e:\windows\system32\FsUsbExService.Exe [2009-12-25 233472]
R2 McAfeeFramework;McAfee Framework Service;e:\program files\mcafee\common framework\FrameworkService.exe [2009-5-8 104000]
R2 McTaskManager;McAfee Task Manager;e:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R2 TomTomHOMEService;TomTomHOMEService;e:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 FirehkMP;FirehkMP;e:\windows\system32\drivers\firehk.sys [2008-2-29 40328]
R3 FsUsbExDisk;FsUsbExDisk;e:\windows\system32\FsUsbExDisk.Sys [2009-12-25 36608]
R3 HIPK;McAfee Inc. HIPK;e:\windows\system32\drivers\HIPK.sys [2009-5-15 100104]
R3 HIPPSK;McAfee Inc. HIPPSK;e:\windows\system32\drivers\HIPPSK.sys [2009-5-15 30856]
R3 HIPQK;McAfee Inc. HIPQK;e:\windows\system32\drivers\HIPQK.sys [2009-5-15 27976]
R3 hips;McAfee HIPSCore Service;e:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-5-15 46400]
R3 mfeavfk;McAfee Inc.;e:\windows\system32\drivers\mfeavfk.sys [2009-5-8 72264]
R3 mfebopk;McAfee Inc.;e:\windows\system32\drivers\mfebopk.sys [2009-5-8 34152]
S2 gupdate;Google Update Service (gupdate);e:\program files\google\update\GoogleUpdate.exe [2010-5-23 136176]
S3 Firehk;McAfee NDIS Intermediate Filter;e:\windows\system32\drivers\firehk.sys [2008-2-29 40328]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;e:\program files\sisoftware\sisoftware sandra lite 2010.sp2\RpcAgentSrv.exe [2010-8-30 93848]

=============== Created Last 30 ================

2010-12-29 00:38:43 70976 ----a-w- e:\windows\system32\HIPIS0e00150.dll
2010-12-28 11:12:32 -------- d-s---w- E:\ComboFix
2010-12-27 17:42:54 98816 ----a-w- e:\windows\sed.exe
2010-12-27 17:42:54 89088 ----a-w- e:\windows\MBR.exe
2010-12-27 17:42:54 256512 ----a-w- e:\windows\PEV.exe
2010-12-27 17:42:54 161792 ----a-w- e:\windows\SWREG.exe
2010-12-27 16:23:08 -------- d-----w- e:\docume~1\howard\applic~1\Malwarebytes
2010-12-27 16:22:53 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-12-27 16:22:53 -------- d-----w- e:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-27 16:22:50 20952 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-12-27 16:22:50 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-12-19 01:17:22 -------- d--h--w- e:\windows\system32\GroupPolicy
2010-12-18 23:55:04 -------- d-----w- e:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2010-12-18 23:06:08 -------- d-sh--w- e:\docume~1\alluse~1\applic~1\IAKTHAHV
2010-12-18 23:05:20 -------- d-sh--w- e:\docume~1\alluse~1\applic~1\f7e9c7
2010-12-09 18:31:34 -------- d-sh--w- E:\found.006
2010-11-30 22:05:41 -------- d-----w- e:\program files\iPod
2010-11-30 22:05:37 -------- d-----w- e:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-30 22:04:31 159744 ----a-w- e:\program files\internet explorer\plugins\npqtplugin7.dll
2010-11-30 22:04:31 159744 ----a-w- e:\program files\internet explorer\plugins\npqtplugin6.dll
2010-11-30 22:04:31 159744 ----a-w- e:\program files\internet explorer\plugins\npqtplugin5.dll
2010-11-30 22:04:31 159744 ----a-w- e:\program files\internet explorer\plugins\npqtplugin4.dll
2010-11-30 22:04:31 159744 ----a-w- e:\program files\internet explorer\plugins\npqtplugin3.dll
2010-11-30 22:04:31 159744 ----a-w- e:\program files\internet explorer\plugins\npqtplugin2.dll
2010-11-30 22:04:31 159744 ----a-w- e:\program files\internet explorer\plugins\npqtplugin.dll
2010-11-30 22:02:10 -------- d-----w- e:\program files\Bonjour

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- e:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- e:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- e:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- e:\windows\system32\inetcpl.cpl
2010-11-04 00:42:20 136512 ----a-w- e:\windows\system32\KevlarSigs.dll
2010-11-03 12:25:54 385024 ----a-w- e:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- e:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- e:\windows\system32\win32k.sys
2010-10-07 12:23:02 91424 ----a-w- e:\windows\system32\dnssd.dll
2010-10-07 12:23:02 75040 ----a-w- e:\windows\system32\jdns_sd.dll
2010-10-07 12:23:02 197920 ----a-w- e:\windows\system32\dnssdX.dll
2010-10-07 12:23:02 107808 ----a-w- e:\windows\system32\dns-sd.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A621150]<<
_asm { POP EAX; PUSH DWORD [0x8a62114c]; PUSH EAX; JMP [0x8a621148]; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A57A6D0]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IAAStorageDevice-1[0x8A56B030]
\Driver\iaStor[0x8A5E1030] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8A621150
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi -> 0x895bb1b0
\Driver\iaStor -> 0x8a621150
user != kernel MBR !!!
sectors 488388606 (+255): user != kernel
Warning: possible MBR rootkit infection !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 14:10:27.64 ===============

Thanks for any help you can offer.




#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:12 PM

Posted 30 December 2010 - 05:55 PM

Hi, circusfrog-

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

There may be a delay in my response to your posts as I am still currently in training. I will be helping you with supervision of the teachers and they will approve every posts before I present them to you.

Please don't make any further changes or run any other tools unless instructed to. Additional changes may hinder the cleaning of your machine.

When asked to copy logs or reports into your reply, please copy them directly into your reply. Do not include them in quotes. Do not attach them unless asked to do so. In Notepad, please turn off Word Wrap under the Format menu.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Please give me some time to look over your log. I will post the reply as soon as possible.
Shannon

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:12 PM

Posted 01 January 2011 - 12:41 PM

Hi-

Sorry for the delay. It is a busy time of year.

I noticed that you have a folder on your hard drive called "ComboFix". I assume you have downloaded ComboFix there, but I hope that you have not used it as it can trash your computer if you are not careful. If you have run it, please copy in the log file it produced. It should be at e:\ComboFix\ComboFix.txt.

Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Double click TDSSKiller.exe
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected
  • Click Continue > Reboot now
  • Copy and paste the log in your next reply
    Note:A copy of the log will be saved automatically to the root of the drive (typically C:\)

In your reply, please copy in the ComboFix report(if one exists) and the TDSSKiller report.

Happy New Year!!
Shannon

#6 circusfrog

circusfrog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK.
  • Local time:01:12 AM

Posted 01 January 2011 - 03:45 PM

Hello Shannon and a Happy New Year to you too.

No need to apologize for any delay in responding, I appreciate the help.

Yes I did run ComboFix but it caused a reboot and left no log behind. The ComboFix folder is, I think, a shortcut as it is not visible under DOS. In Windows the folder has the same icon as 'My Computer' and the contents are identical to those of the 'My Computer' folder.

TDSSKiller did not seem to find any problems - I have pasted the report below:

2011/01/01 20:23:38.0375 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/01 20:23:38.0375 ================================================================================
2011/01/01 20:23:38.0375 SystemInfo:
2011/01/01 20:23:38.0375
2011/01/01 20:23:38.0375 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/01 20:23:38.0375 Product type: Workstation
2011/01/01 20:23:38.0375 ComputerName: ANTEC
2011/01/01 20:23:38.0375 UserName: Howard
2011/01/01 20:23:38.0375 Windows directory: E:\WINDOWS
2011/01/01 20:23:38.0375 System windows directory: E:\WINDOWS
2011/01/01 20:23:38.0375 Processor architecture: Intel x86
2011/01/01 20:23:38.0375 Number of processors: 2
2011/01/01 20:23:38.0375 Page size: 0x1000
2011/01/01 20:23:38.0375 Boot type: Normal boot
2011/01/01 20:23:38.0375 ================================================================================
2011/01/01 20:23:38.0656 Initialize success
2011/01/01 20:23:47.0781 ================================================================================
2011/01/01 20:23:47.0781 Scan started
2011/01/01 20:23:47.0781 Mode: Manual;
2011/01/01 20:23:47.0781 ================================================================================
2011/01/01 20:23:48.0078 ACPI (8fd99680a539792a30e97944fdaecf17) E:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/01 20:23:48.0093 ACPIEC (9859c0f6936e723e4892d7141b1327d5) E:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/01 20:23:48.0140 aec (8bed39e3c35d6a489438b8141717a557) E:\WINDOWS\system32\drivers\aec.sys
2011/01/01 20:23:48.0203 AFD (7e775010ef291da96ad17ca4b17137d7) E:\WINDOWS\System32\drivers\afd.sys
2011/01/01 20:23:48.0328 Airgo (f665ff4c62ce0121f1db77568f80b0f8) E:\WINDOWS\system32\DRIVERS\wnihdd51.sys
2011/01/01 20:23:48.0390 Arp1394 (b5b8a80875c1dededa8b02765642c32f) E:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/01 20:23:48.0437 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) E:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/01 20:23:48.0453 atapi (9f3a2f5aa6875c72bf062c712cfa2674) E:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/01 20:23:48.0484 Atmarpc (9916c1225104ba14794209cfa8012159) E:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/01 20:23:48.0515 audstub (d9f724aa26c010a217c97606b160ed68) E:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/01 20:23:48.0546 BCM43XX (98d08b853e3276c61ac2c0a03004ab87) E:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/01/01 20:23:48.0546 Beep (da1f27d85e0d1525f6621372e7b685e9) E:\WINDOWS\system32\drivers\Beep.sys
2011/01/01 20:23:48.0640 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) E:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/01 20:23:48.0671 Cdaudio (c1b486a7658353d33a10cc15211a873b) E:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/01 20:23:48.0687 Cdfs (c885b02847f5d2fd45a24e219ed93b32) E:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/01 20:23:48.0703 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) E:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/01 20:23:48.0781 Disk (044452051f3e02e7963599fc8f4f3e25) E:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/01 20:23:48.0828 dmboot (d992fe1274bde0f84ad826acae022a41) E:\WINDOWS\system32\drivers\dmboot.sys
2011/01/01 20:23:48.0843 dmio (7c824cf7bbde77d95c08005717a95f6f) E:\WINDOWS\system32\drivers\dmio.sys
2011/01/01 20:23:48.0859 dmload (e9317282a63ca4d188c0df5e09c6ac5f) E:\WINDOWS\system32\drivers\dmload.sys
2011/01/01 20:23:48.0890 DMusic (8a208dfcf89792a484e76c40e5f50b45) E:\WINDOWS\system32\drivers\DMusic.sys
2011/01/01 20:23:48.0921 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) E:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/01 20:23:48.0953 Fastfat (38d332a6d56af32635675f132548343e) E:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/01 20:23:48.0968 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) E:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/01 20:23:49.0000 Fips (d45926117eb9fa946a6af572fbe1caa3) E:\WINDOWS\system32\drivers\Fips.sys
2011/01/01 20:23:49.0015 Firehk (19de39296aeda0ae97c6a6c7a3a981c0) E:\WINDOWS\system32\DRIVERS\firehk.sys
2011/01/01 20:23:49.0031 FirehkMP (19de39296aeda0ae97c6a6c7a3a981c0) E:\WINDOWS\system32\DRIVERS\firehk.sys
2011/01/01 20:23:49.0046 firelm01 (89b8af3b985436d64306f4247b640d3c) E:\WINDOWS\system32\drivers\firelm01.sys
2011/01/01 20:23:49.0062 FirePM (ac071558109ee4f00b30e62216b1c220) E:\WINDOWS\system32\Drivers\FirePM.sys
2011/01/01 20:23:49.0078 FireTDI (575b67ab9c962591e72334c9f040feb3) E:\WINDOWS\system32\Drivers\FireTDI.sys
2011/01/01 20:23:49.0093 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) E:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/01 20:23:49.0109 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) E:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/01 20:23:49.0140 FsUsbExDisk (790a4ca68f44be35967b3df61f3e4675) E:\WINDOWS\system32\FsUsbExDisk.SYS
2011/01/01 20:23:49.0234 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) E:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/01 20:23:49.0250 Ftdisk (6ac26732762483366c3969c9e4d2259d) E:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/01 20:23:49.0296 gdrv (ec2539f4c674bd9e1ac2187101ee77cc) E:\WINDOWS\gdrv.sys
2011/01/01 20:23:49.0359 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) E:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/01 20:23:49.0375 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) E:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/01 20:23:49.0390 HDAudBus (573c7d0a32852b48f3058cfd8026f511) E:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/01 20:23:49.0406 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) E:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/01 20:23:49.0437 HIPK (8e077f518ec18d6174533dc90a6b8df3) E:\WINDOWS\system32\drivers\HIPK.sys
2011/01/01 20:23:49.0468 HIPPSK (f1793de47d5427c8972cff294e561442) E:\WINDOWS\system32\drivers\HIPPSK.sys
2011/01/01 20:23:49.0687 HIPQK (8f32baf176da810d5de0c4b83c4074d7) E:\WINDOWS\system32\drivers\HIPQK.sys
2011/01/01 20:23:49.0765 HTTP (f80a415ef82cd06ffaf0d971528ead38) E:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/01 20:23:49.0812 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) E:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/01 20:23:49.0859 iaStor (294110966cedd127629c5be48367c8cf) E:\WINDOWS\system32\drivers\iaStor.sys
2011/01/01 20:23:49.0890 Imapi (083a052659f5310dd8b6a6cb05edcf8e) E:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/01 20:23:50.0046 IntcAzAudAddService (6197403d9e9027d55052bb16ccf33cca) E:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/01/01 20:23:50.0093 intelppm (8c953733d8f36eb2133f5bb58808b66b) E:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/01 20:23:50.0109 ip6fw (3bb22519a194418d5fec05d800a19ad0) E:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/01 20:23:50.0156 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) E:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/01 20:23:50.0171 IpInIp (b87ab476dcf76e72010632b5550955f5) E:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/01 20:23:50.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) E:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/01 20:23:50.0218 IPSec (23c74d75e36e7158768dd63d92789a91) E:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/01 20:23:50.0234 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) E:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/01 20:23:50.0265 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) E:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/01 20:23:50.0281 Kbdclass (463c1ec80cd17420a542b7f36a36f128) E:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/01 20:23:50.0296 kbdhid (9ef487a186dea361aa06913a75b3fa99) E:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/01 20:23:50.0328 kmixer (692bcf44383d056aed41b045a323d378) E:\WINDOWS\system32\drivers\kmixer.sys
2011/01/01 20:23:50.0359 KSecDD (b467646c54cc746128904e1654c750c1) E:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/01 20:23:50.0421 mfeapfk (b5c306c5b5e7417b9d2b410894678069) E:\WINDOWS\system32\drivers\mfeapfk.sys
2011/01/01 20:23:50.0515 mfeavfk (87b28198b308af3469d6e0b81d86c1fa) E:\WINDOWS\system32\drivers\mfeavfk.sys
2011/01/01 20:23:50.0531 mfebopk (cf37784dd24c83f62626bc0ea3f5e386) E:\WINDOWS\system32\drivers\mfebopk.sys
2011/01/01 20:23:50.0546 mfehidk (d61d2a4707f994c51b10b170405a5450) E:\WINDOWS\system32\drivers\mfehidk.sys
2011/01/01 20:23:50.0593 mferkdk (37b5228bea6b4429ffb90dfa77af4431) E:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
2011/01/01 20:23:50.0640 mfetdik (08365682fe8665b13338b9e5c4a8ac9c) E:\WINDOWS\system32\drivers\mfetdik.sys
2011/01/01 20:23:50.0656 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) E:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/01 20:23:50.0687 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) E:\WINDOWS\system32\drivers\Modem.sys
2011/01/01 20:23:50.0687 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) E:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/01 20:23:50.0718 mouhid (b1c303e17fb9d46e87a98e4ba6769685) E:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/01 20:23:50.0734 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) E:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/01 20:23:50.0765 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) E:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/01 20:23:50.0796 MRxSmb (f3aefb11abc521122b67095044169e98) E:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/01 20:23:50.0828 Msfs (c941ea2454ba8350021d774daf0f1027) E:\WINDOWS\system32\drivers\Msfs.sys
2011/01/01 20:23:50.0843 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) E:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/01 20:23:50.0859 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) E:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/01 20:23:50.0875 MSPQM (bad59648ba099da4a17680b39730cb3d) E:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/01 20:23:50.0890 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) E:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/01 20:23:50.0906 Mup (2f625d11385b1a94360bfc70aaefdee1) E:\WINDOWS\system32\drivers\Mup.sys
2011/01/01 20:23:50.0921 NDIS (1df7f42665c94b825322fae71721130d) E:\WINDOWS\system32\drivers\NDIS.sys
2011/01/01 20:23:50.0937 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) E:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/01 20:23:50.0953 Ndisuio (f927a4434c5028758a842943ef1a3849) E:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/01 20:23:50.0984 NdisWan (edc1531a49c80614b2cfda43ca8659ab) E:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/01 20:23:51.0000 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) E:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/01 20:23:51.0015 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) E:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/01 20:23:51.0046 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) E:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/01 20:23:51.0078 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) E:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/01 20:23:51.0109 Npfs (3182d64ae053d6fb034f44b6def8034a) E:\WINDOWS\system32\drivers\Npfs.sys
2011/01/01 20:23:51.0234 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) E:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/01 20:23:51.0265 Null (73c1e1f395918bc2c6dd67af7591a3ad) E:\WINDOWS\system32\drivers\Null.sys
2011/01/01 20:23:51.0671 nv (ed9816dbaf6689542ea7d022631906a1) E:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/01 20:23:52.0031 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) E:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/01 20:23:52.0046 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) E:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/01 20:23:52.0078 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) E:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/01/01 20:23:52.0093 NwlnkNb (56d34a67c05e94e16377c60609741ff8) E:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/01/01 20:23:52.0109 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) E:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/01/01 20:23:52.0140 ohci1394 (ca33832df41afb202ee7aeb05145922f) E:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/01 20:23:52.0156 Parport (5575faf8f97ce5e713d108c2a58d7c7c) E:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/01 20:23:52.0187 PartMgr (beb3ba25197665d82ec7065b724171c6) E:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/01 20:23:52.0203 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) E:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/01 20:23:52.0234 pccsmcfd (175cc28dcf819f78caa3fbd44ad9e52a) E:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2011/01/01 20:23:52.0250 PCI (a219903ccf74233761d92bef471a07b1) E:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/01 20:23:52.0296 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) E:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/01 20:23:52.0312 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) E:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/01/01 20:23:52.0421 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) E:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/01 20:23:52.0437 Processor (a32bebaf723557681bfc6bd93e98bd26) E:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/01 20:23:52.0453 PSched (09298ec810b07e5d582cb3a3f9255424) E:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/01 20:23:52.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) E:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/01 20:23:52.0671 QV2KUX (0087f01d35a65b32393cc8bba46ee4a6) E:\WINDOWS\system32\DRIVERS\qv2kux.sys
2011/01/01 20:23:52.0703 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) E:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/01 20:23:52.0734 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) E:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/01 20:23:52.0750 RasPppoe (5bc962f2654137c9909c3d4603587dee) E:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/01 20:23:52.0765 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) E:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/01 20:23:52.0781 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) E:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/01 20:23:52.0796 RDPCDD (4912d5b403614ce99c28420f75353332) E:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/01 20:23:52.0828 rdpdr (15cabd0f7c00c47c70124907916af3f1) E:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/01 20:23:52.0859 RDPWD (6728e45b66f93c08f11de2e316fc70dd) E:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/01 20:23:52.0890 redbook (f828dd7e1419b6653894a8f97a0094c5) E:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/01 20:23:52.0953 s116bus (815445f4676cc96bc9aeec303c727e19) E:\WINDOWS\system32\DRIVERS\s116bus.sys
2011/01/01 20:23:52.0984 s116mdfl (333d1e0743e6de1779c3c418ac601c3a) E:\WINDOWS\system32\DRIVERS\s116mdfl.sys
2011/01/01 20:23:53.0015 s116mdm (50d6e5b021e9ec7553ab8a3553cc1b6b) E:\WINDOWS\system32\DRIVERS\s116mdm.sys
2011/01/01 20:23:53.0031 s116mgmt (1589aa53e43f8d193a7d4d580d3ffa95) E:\WINDOWS\system32\DRIVERS\s116mgmt.sys
2011/01/01 20:23:53.0046 s116obex (ec32601f04a5a5de89315d0f55e73d66) E:\WINDOWS\system32\DRIVERS\s116obex.sys
2011/01/01 20:23:53.0109 SANDRA (230fd3749904ca045ea5ec0aa14006e9) E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\WNt500x86\Sandra.sys
2011/01/01 20:23:53.0234 Secdrv (90a3935d05b494a5a39d37e71f09a677) E:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/01 20:23:53.0265 serenum (0f29512ccd6bead730039fb4bd2c85ce) E:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/01 20:23:53.0281 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) E:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/01 20:23:53.0328 sfdrv01 (9e7dee11fd5a4355941a45f13c0ed59a) E:\WINDOWS\system32\drivers\sfdrv01.sys
2011/01/01 20:23:53.0359 sfdrv01a (4d0ce0fadca29e7da68ce597ac9010bd) E:\WINDOWS\system32\drivers\sfdrv01a.sys
2011/01/01 20:23:53.0375 sfhlp02 (daad4c099ebf5094d32c373ac1ac0f3c) E:\WINDOWS\system32\drivers\sfhlp02.sys
2011/01/01 20:23:53.0390 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) E:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/01 20:23:53.0406 sfsync04 (c526ad307ff1900bc4c864f74553f762) E:\WINDOWS\system32\drivers\sfsync04.sys
2011/01/01 20:23:53.0421 sfvfs02 (5dc0d3978b2c98f370bd8a5c9fd86092) E:\WINDOWS\system32\drivers\sfvfs02.sys
2011/01/01 20:23:53.0515 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) E:\WINDOWS\system32\drivers\splitter.sys
2011/01/01 20:23:53.0578 sptd (e8b705f9abe446aaf7a315ef8b4aea5a) E:\WINDOWS\System32\Drivers\sptd.sys
2011/01/01 20:23:53.0609 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) E:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/01 20:23:53.0640 Srv (0f6aefad3641a657e18081f52d0c15af) E:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/01 20:23:53.0718 sscdbus (d6870895fe46a464a19141440eb6cc1e) E:\WINDOWS\system32\DRIVERS\sscdbus.sys
2011/01/01 20:23:53.0750 sscdmdfl (0fe167362e4689b716cdc8d93adedda8) E:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
2011/01/01 20:23:53.0781 sscdmdm (55a15707e32b6709242ad127e62ca55a) E:\WINDOWS\system32\DRIVERS\sscdmdm.sys
2011/01/01 20:23:53.0812 swenum (3941d127aef12e93addf6fe6ee027e0f) E:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/01 20:23:53.0843 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) E:\WINDOWS\system32\drivers\swmidi.sys
2011/01/01 20:23:53.0921 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) E:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/01 20:23:53.0968 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) E:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/01 20:23:54.0000 TDPIPE (6471a66807f5e104e4885f5b67349397) E:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/01 20:23:54.0015 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) E:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/01 20:23:54.0046 TermDD (88155247177638048422893737429d9e) E:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/01 20:23:54.0093 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) E:\WINDOWS\system32\drivers\Udfs.sys
2011/01/01 20:23:54.0140 Update (402ddc88356b1bac0ee3dd1580c76a31) E:\WINDOWS\system32\DRIVERS\update.sys
2011/01/01 20:23:54.0187 USBAAPL (1df89c499bf45d878b87ebd4421d462d) E:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/01 20:23:54.0203 usbccgp (173f317ce0db8e21322e71b7e60a27e8) E:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/01 20:23:54.0218 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) E:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/01 20:23:54.0250 usbhub (1ab3cdde553b6e064d2e754efe20285c) E:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/01 20:23:54.0265 usbprint (a717c8721046828520c9edf31288fc00) E:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/01 20:23:54.0296 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) E:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/01 20:23:54.0312 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/01 20:23:54.0328 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) E:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/01 20:23:54.0359 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) E:\WINDOWS\System32\drivers\vga.sys
2011/01/01 20:23:54.0390 VolSnap (4c8fcb5cc53aab716d810740fe59d025) E:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/01 20:23:54.0437 Wanarp (e20b95baedb550f32dd489265c1da1f6) E:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/01 20:23:54.0468 wdmaud (6768acf64b18196494413695f0c3a00f) E:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/01 20:23:54.0593 WpdUsb (cf4def1bf66f06964dc0d91844239104) E:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/01/01 20:23:54.0656 WudfPf (f15feafffbb3644ccc80c5da584e6311) E:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/01 20:23:54.0671 WudfRd (28b524262bce6de1f7ef9f510ba3985b) E:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/01 20:23:54.0734 yukonwxp (4322c32ced8c4772e039616dcbf01d3f) E:\WINDOWS\system32\DRIVERS\yk51x86.sys
2011/01/01 20:23:54.0937 ================================================================================
2011/01/01 20:23:54.0937 Scan finished
2011/01/01 20:23:54.0937 ================================================================================
2011/01/01 20:30:08.0500 Deinitialize success

Thanks again,
Circusfrog.

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:12 PM

Posted 02 January 2011 - 10:03 AM

Hi-

You are right, TDSSKiller did not find an infection. For the ComboFix log, see if it is at e:\ComboFix.txt. If you find it, please copy the contents into your reply.

Please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it.
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.

In your reply, please let me know how the computer is doing. Are you getting anymore redirects? Please copy in the ComboFix log (if you find it) and the MBRCheck log.

Thanks,
Shannon

#8 circusfrog

circusfrog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK.
  • Local time:01:12 AM

Posted 02 January 2011 - 12:25 PM

Hi Shannon,

I have not been using the infected PC since the problems began - except to run the various reports. I have been using a clean computer to download the required executables. I have checked for the redirects just now and they are still occurring.

One point to note is that there is no hosts file on the infected PC.

Below is the MBRCheck report:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000007d

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 ohci1394.sys
0xB80B8000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
0xB80C8000 isapnp.sys
0xB7F55000 sfsync04.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xB7F37000 pcmcia.sys
0xB80D8000 MountMgr.sys
0xB7F18000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7EF2000 dmio.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7EDA000 atapi.sys
0xB7E23000 iaStor.sys
0xB80F8000 disk.sys
0xB8108000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xB7E03000 fltmgr.sys
0xB7DF1000 sr.sys
0xB7DDA000 KSecDD.sys
0xB7DC7000 WudfPf.sys
0xB7DA9000 FirePM.sys
0xB7D1C000 Ntfs.sys
0xB7CEF000 NDIS.sys
0xB7CD8000 sfvfs02.sys
0xB8338000 sfhlp02.sys
0xB7CC4000 sfdrv01a.sys
0xB7CB2000 sfdrv01.sys
0xB7C98000 Mup.sys
0xB8138000 \SystemRoot\System32\DRIVERS\nic1394.sys
0xB731F000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xB5892000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB587E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8440000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB585A000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xB8448000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB5832000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB57EC000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xB730F000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB72FF000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xB72EF000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB57C9000 \SystemRoot\System32\DRIVERS\ks.sys
0xB8450000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB8458000 \SystemRoot\System32\DRIVERS\fdc.sys
0xB8288000 \SystemRoot\System32\DRIVERS\serial.sys
0xB8594000 \SystemRoot\System32\DRIVERS\serenum.sys
0xB57B5000 \SystemRoot\System32\DRIVERS\parport.sys
0xB872C000 \SystemRoot\System32\DRIVERS\audstub.sys
0xB8298000 \SystemRoot\system32\DRIVERS\firehk.sys
0xB82A8000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xB859C000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB579E000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xB633F000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xB632F000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xB8460000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB578D000 \SystemRoot\System32\DRIVERS\psched.sys
0xB631F000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xB8468000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xB8470000 \SystemRoot\System32\DRIVERS\raspti.sys
0xB575D000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xB630F000 \SystemRoot\System32\DRIVERS\termdd.sys
0xB8478000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xB8480000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xB8608000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB56FF000 \SystemRoot\System32\DRIVERS\update.sys
0xB7C68000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xB8158000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB8178000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xB8632000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xB1895000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB1871000 \SystemRoot\system32\drivers\portcls.sys
0xB8188000 \SystemRoot\system32\drivers\drmk.sys
0xB8420000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xB8654000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB871E000 \SystemRoot\System32\Drivers\Null.SYS
0xB8656000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8430000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB8438000 \SystemRoot\System32\drivers\vga.sys
0xB8658000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB865A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB29F7000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB29EF000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB2C8F000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xAF72A000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xAF6D1000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xAF6AF000 \??\E:\WINDOWS\system32\Drivers\FireTDI.sys
0xAF661000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xB0DBB000 \SystemRoot\system32\drivers\mfetdik.sys
0xB0DAB000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xAF639000 \SystemRoot\System32\DRIVERS\netbt.sys
0xB0D9B000 \SystemRoot\System32\DRIVERS\arp1394.sys
0xAF617000 \SystemRoot\System32\drivers\afd.sys
0xB0D8B000 \SystemRoot\System32\DRIVERS\netbios.sys
0xAF5EC000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xAF57C000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xB29E7000 \??\E:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0xAF54C000 \SystemRoot\system32\drivers\mfehidk.sys
0xB03E9000 \SystemRoot\System32\Drivers\Fips.SYS
0xB26D0000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB03D9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB1865000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xB29BF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB185D000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAA200000 \SystemRoot\System32\Drivers\Udfs.SYS
0xAA149000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xAB192000 \SystemRoot\System32\drivers\Dxapi.sys
0xAAF09000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB869B000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9DEB000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xB8168000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xB8584000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xA9D96000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xB85F8000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA9C9E000 \SystemRoot\System32\DRIVERS\srv.sys
0xB0DFB000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xB83A0000 \??\E:\WINDOWS\system32\drivers\firelm01.sys
0xA9A81000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9B76000 \SystemRoot\system32\drivers\sysaudio.sys
0xAF97D000 \SystemRoot\System32\DRIVERS\secdrv.sys
0xAB098000 \SystemRoot\system32\drivers\mfebopk.sys
0xA91AC000 \SystemRoot\system32\drivers\mfeapfk.sys
0xA9071000 \SystemRoot\system32\drivers\mfeavfk.sys
0xB00FE000 \SystemRoot\system32\drivers\HIPPSK.sys
0xA862A000 \SystemRoot\system32\drivers\HIPK.sys
0xAAEE1000 \SystemRoot\system32\drivers\HIPQK.sys
0xA8546000 \SystemRoot\System32\Drivers\HTTP.sys
0xA9B36000 \??\E:\WINDOWS\system32\FsUsbExDisk.SYS
0xB00BE000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA847B000 \SystemRoot\system32\drivers\kmixer.sys
0xA8435000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 SYSTEM
988 E:\WINDOWS\system32\smss.exe
1040 csrss.exe
1064 E:\WINDOWS\system32\winlogon.exe
1108 E:\WINDOWS\system32\services.exe
1128 E:\WINDOWS\system32\lsass.exe
1300 E:\WINDOWS\system32\nvsvc32.exe
1324 E:\WINDOWS\system32\svchost.exe
1388 svchost.exe
1448 E:\WINDOWS\system32\svchost.exe
1484 E:\WINDOWS\system32\svchost.exe
1564 svchost.exe
1756 svchost.exe
1844 E:\WINDOWS\system32\spoolsv.exe
2024 svchost.exe
172 E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
224 E:\WINDOWS\system32\bgsvcgen.exe
268 E:\Program Files\Bonjour\mDNSResponder.exe
292 E:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
348 E:\FileTransfer\wrapper.exe
372 E:\WINDOWS\system32\FsUsbExService.Exe
432 E:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
496 E:\Program Files\McAfee\Common Framework\FrameworkService.exe
576 E:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
860 naPrdMgr.exe
932 E:\WINDOWS\system32\java.exe
944 E:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
1232 E:\WINDOWS\system32\svchost.exe
1928 E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
2356 E:\WINDOWS\explorer.exe
2436 E:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
2472 E:\Program Files\CyberLink\PowerCinema\PCMService.exe
2484 E:\WINDOWS\RTHDCPL.exe
2508 E:\Program Files\McAfee\Common Framework\UdaterUI.exe
2520 E:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
2660 E:\Program Files\McAfee\Common Framework\Mctray.exe
2732 E:\WINDOWS\system32\rundll32.exe
2808 E:\Program Files\iTunes\iTunesHelper.exe
2820 E:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
2936 E:\WINDOWS\system32\ctfmon.exe
3264 E:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
3728 E:\WINDOWS\system32\wscntfy.exe
3932 E:\Program Files\iPod\bin\iPodService.exe
4032 alg.exe
3068 E:\Documents and Settings\Howard\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000001f`bd297800 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: P
PhysicalDrive1 Model Number: SAMSUNGHD501LJ, Rev: CR100-13

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Thanks,
Circusfrog.




#9 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:12 PM

Posted 03 January 2011 - 09:05 AM

Hi-

Let's try ComboFix again. Delete the ComboFix.exe that you downloaded and we will download a fresh copy.

Before we download ComboFix, if you are transferring stuff between a well computer and a sick computer, you need to run Flash_Disinfector. Flash_Disinfector is a specialized fix tool created by sUBs to remove infections that load an autorun.inf file on removable media. Flash_Disinfector will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. This folder helps to keep the malicious autorun.ini file from being installed on the root drive and running other malicious files which will infect the computer.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Next, download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, please copy in the ComboFix report and let me know how the computer is doing.
Shannon

#10 circusfrog

circusfrog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK.
  • Local time:01:12 AM

Posted 03 January 2011 - 03:37 PM

Hi Shannon,

I downloaded and ran flash_disinfector as instructed.

I then downloaded the latest version of ComboFix and copied it to the infected machine.

When I ran ComboFix I had the same results as before - the program ran through its stages and after stage 50 was completed, the PC Blue Screened and rebooted.
I can find no report created by ComboFix.

I noticed that the last message in the ComboFix screen was 'Deleting Files:'. It appeared immediately after 'Completed Stage_50' and only very briefly.


Circusfrog.

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:12 PM

Posted 04 January 2011 - 07:32 AM

Hi-

Sorry to hear that ComboFix would not finish. Let's try it one more time but this time we will run it in Safemode.

Boot into Safe Mode.
This can be done by tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

Run ComboFix
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, copy in the combofix log.

Thanks,
Shannon

#12 circusfrog

circusfrog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK.
  • Local time:01:12 AM

Posted 04 January 2011 - 08:54 AM

Hi Shannon,

ComboFix ran OK in safe mode. I have pasted the report log below:


ComboFix 11-01-02.04 - Howard 04/01/2011 13:19:15.10.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1784 [GMT 0:00]
Running from: e:\documents and settings\Howard\Desktop\ComboFix.exe
FW: McAfee Host Intrusion Prevention Firewall *Disabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\All Users\Application Data\f7e9c7
e:\documents and settings\All Users\Application Data\f7e9c7\34.mof
e:\documents and settings\All Users\Application Data\f7e9c7\b41d1037981b33994c3e93c4ec9dfadd.ocx
e:\documents and settings\All Users\Application Data\f7e9c7\BackUp\Billminder.lnk
e:\documents and settings\All Users\Application Data\f7e9c7\BackUp\Microsoft Office.lnk
e:\documents and settings\All Users\Application Data\f7e9c7\BackUp\PHOTOfunSTUDIO 5.0 HD Edition.lnk
e:\documents and settings\All Users\Application Data\f7e9c7\gm9q01u8z6af1u8hvvv5e7tm9hglr45e7tm9q01u8z6ak.dll
e:\documents and settings\All Users\Application Data\f7e9c7\IAV.ico
e:\documents and settings\Howard\Application Data\alot
e:\documents and settings\Jen\Application Data\alot
e:\documents and settings\Jen\Application Data\alot\BrowserSearch\BrowserSearch.xml
e:\documents and settings\Jen\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_0\Button_0.xml
e:\documents and settings\Jen\Application Data\alot\Button_0\Button_0.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_1\Button_1.xml
e:\documents and settings\Jen\Application Data\alot\Button_1\Button_1.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_2\Button_2.xml
e:\documents and settings\Jen\Application Data\alot\Button_2\Button_2.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_3\Button_3.xml
e:\documents and settings\Jen\Application Data\alot\Button_3\Button_3.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_4\Button_4.xml
e:\documents and settings\Jen\Application Data\alot\Button_4\Button_4.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_5\Button_5.xml
e:\documents and settings\Jen\Application Data\alot\Button_5\Button_5.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_6\Button_6.xml
e:\documents and settings\Jen\Application Data\alot\Button_6\Button_6.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_7\Button_7.xml
e:\documents and settings\Jen\Application Data\alot\Button_7\Button_7.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_8\Button_8.xml
e:\documents and settings\Jen\Application Data\alot\Button_8\Button_8.xml.backup
e:\documents and settings\Jen\Application Data\alot\Button_9\Button_9.xml
e:\documents and settings\Jen\Application Data\alot\Button_9\Button_9.xml.backup
e:\documents and settings\Jen\Application Data\alot\configurator\configurator.xml
e:\documents and settings\Jen\Application Data\alot\configurator\configurator.xml.backup
e:\documents and settings\Jen\Application Data\alot\contextMenu\contextMenu.xml
e:\documents and settings\Jen\Application Data\alot\contextMenu\contextMenu.xml.backup
e:\documents and settings\Jen\Application Data\alot\ErrorSearch\ErrorSearch.xml
e:\documents and settings\Jen\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
e:\documents and settings\Jen\Application Data\alot\postInstallLayout\postInstallLayout.xml
e:\documents and settings\Jen\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
e:\documents and settings\Jen\Application Data\alot\products\products.xml
e:\documents and settings\Jen\Application Data\alot\products\products.xml.backup
e:\documents and settings\Jen\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
e:\documents and settings\Jen\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
e:\documents and settings\Jen\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_1\images\alot_search_button.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_2\images\default_1227_alot_quo_search.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_2\images\default_1227_alot_quo_search.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_3\images\default_1229_alot_quo_quotes.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_3\images\default_1229_alot_quo_quotes.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_4\images\default_1231_alot_quo_quoteday.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_4\images\default_1231_alot_quo_quoteday.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\clear.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\cloudy.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\default_1007_alot_weather_widget.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\default_1007_alot_weather_widget.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\foggy.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\nclear.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\nmcloud.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\nsnow.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\pcloud.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_5\images\rain.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_6\images\2467_icon.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_6\images\2467_icon.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_7\images\1662_icon.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_7\images\1662_icon.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_7\images\default_1661_alot_ref_onlineeducation.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_7\images\default_1661_alot_ref_onlineeducation.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_8\images\2112_icon.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_8\images\2112_icon.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_8\images\default_2112_alot_quo_quotes.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_8\images\default_2112_alot_quo_quotes.png
e:\documents and settings\Jen\Application Data\alot\Resources\Button_9\images\default_1795_default_1795_alot_configure.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Button_9\images\default_1795_default_1795_alot_configure.png
e:\documents and settings\Jen\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\contextMenu\images\alot_icon.png
e:\documents and settings\Jen\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\domains.dat
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\alot_brand.png
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\alot_splitter.png
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\discover.png
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\spinner.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_btnconfig0.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_btnconfig1.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_btnrefresh0.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_btnrefresh1.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_caption.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
e:\documents and settings\Jen\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
e:\documents and settings\Jen\Application Data\alot\TimerManager\TimerManager.xml
e:\documents and settings\Jen\Application Data\alot\TimerManager\TimerManager.xml.backup
e:\documents and settings\Jen\Application Data\alot\toolbar.xml
e:\documents and settings\Jen\Application Data\alot\toolbar.xml.backup
e:\documents and settings\Jen\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
e:\documents and settings\Jen\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
e:\documents and settings\Jen\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
e:\documents and settings\Jen\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup
e:\documents and settings\Jen\Application Data\alot\Updater\Updater.xml
e:\documents and settings\Jen\Application Data\alot\Updater\Updater.xml.backup
e:\documents and settings\Ruth\Application Data\alot

.
((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
.

2011-01-04 13:15 . 2011-01-04 13:16 -------- d-----w- e:\documents and settings\Administrator
2010-12-27 16:23 . 2010-12-27 16:23 -------- d-----w- e:\documents and settings\Howard\Application Data\Malwarebytes
2010-12-27 16:22 . 2010-12-27 16:22 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-27 16:22 . 2010-12-20 18:09 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-12-27 16:22 . 2010-12-27 16:22 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-12-27 16:22 . 2010-12-20 18:08 20952 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-12-19 01:17 . 2010-12-19 01:17 -------- d--h--w- e:\windows\system32\GroupPolicy
2010-12-18 23:06 . 2010-12-18 23:06 -------- d-sh--w- e:\documents and settings\All Users\Application Data\IAKTHAHV
2010-12-09 18:31 . 2010-12-09 18:31 -------- d-----w- E:\found.006

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2006-11-23 02:07 81920 ----a-w- e:\windows\system32\isign32.dll
2010-11-06 00:26 . 2001-08-23 12:00 916480 ----a-w- e:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-23 12:00 43520 ----a-w- e:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-23 12:00 1469440 ------w- e:\windows\system32\inetcpl.cpl
2010-11-04 00:42 . 2009-05-15 17:53 136512 ----a-w- e:\windows\system32\KevlarSigs.dll
2010-11-03 12:25 . 2006-11-24 20:29 385024 ----a-w- e:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00 40960 ----a-w- e:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2001-08-23 12:00 290048 ----a-w- e:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-23 12:00 1853312 ----a-w- e:\windows\system32\win32k.sys
2010-10-07 12:23 . 2010-10-07 12:23 91424 ----a-w- e:\windows\system32\dnssd.dll
2010-10-07 12:23 . 2010-10-07 12:23 75040 ----a-w- e:\windows\system32\jdns_sd.dll
2010-10-07 12:23 . 2010-10-07 12:23 197920 ----a-w- e:\windows\system32\dnssdX.dll
2010-10-07 12:23 . 2010-10-07 12:23 107808 ----a-w- e:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="e:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"Google Update"="e:\documents and settings\Howard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-20 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="e:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 151552]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"PCMService"="e:\program files\CyberLink\PowerCinema\PCMService.exe" [2004-11-03 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-27 16208384]
"McAfeeUpdaterUI"="e:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"CanonMyPrinter"="e:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]
"CanonSolutionMenu"="e:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"IJNetworkScanUtility"="e:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"nwiz"="e:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - e:\quickenw\BILLMIND.EXE [2009-9-20 25600]
Microsoft Office.lnk - e:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PHOTOfunSTUDIO 5.0 HD Edition.lnk - e:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2010-11-25 172544]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\CA\\eTrust Antivirus\\InoNmSrv.exe"=
"e:\\Program Files\\Midway Games\\Rise and Fall\\RiseAndFall.exe"=
"e:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005.SR2a\\sandra.exe"=
"e:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005.SR2a\\RpcSandraSrv.exe"=
"e:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2005.SR2a\\RpcDataSrv.exe"=
"e:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"e:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"e:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"e:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"e:\\Program Files\\Nectar Search Toolbar\\TroubleShooter.exe"=
"e:\\Program Files\\Nectar Search Toolbar\\ToolbarUpdate.exe"=
"e:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP2\\RpcAgentSrv.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010.SP2\\WNt500x86\\RpcSandraSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);e:\windows\system32\drivers\sfdrv01a.sys [05/07/2006 12:46 63352]
S2 FileTransfer;AS2 Connector File Transfer;e:\filetransfer\wrapper.exe -s e:\filetransfer\service\wrapper.conf --> e:\filetransfer\wrapper.exe -s e:\filetransfer\service\wrapper.conf [?]
S2 FsUsbExService;FsUsbExService;e:\windows\system32\FsUsbExService.Exe [25/12/2009 17:26 233472]
S2 gupdate;Google Update Service (gupdate);e:\program files\Google\Update\GoogleUpdate.exe [23/05/2010 20:24 136176]
S2 TomTomHOMEService;TomTomHOMEService;e:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/08/2010 09:38 92008]
S3 FsUsbExDisk;FsUsbExDisk;e:\windows\system32\FsUsbExDisk.Sys [25/12/2009 17:26 36608]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;e:\program files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\RpcAgentSrv.exe [30/08/2010 15:12 93848]
S4 sptd;sptd;e:\windows\system32\drivers\sptd.sys [19/01/2007 19:35 646392]
.
Contents of the 'Scheduled Tasks' folder

2011-01-03 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-05-23 20:24]

2011-01-03 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-05-23 20:24]

2010-12-29 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-115176313-839522115-1003Core.job
- e:\documents and settings\Howard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-31 21:12]

2011-01-03 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-115176313-839522115-1003UA.job
- e:\documents and settings\Howard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-31 21:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{8020143D-5926-4394-A04D-DD0B649DA121} - (no file)
WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)
WebBrowser-{8020143D-5926-4394-A04D-DD0B649DA121} - (no file)
HKLM-Run-NPSStartup - (no file)
Notify-WgaLogon - (no file)
AddRemove-NVIDIA Display Control Panel - e:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-04 13:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 488388606 (+255): user != kernel

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-01-04 13:30:16
ComboFix-quarantined-files.txt 2011-01-04 13:30

Pre-Run: 63,783,505,920 bytes free
Post-Run: 65,119,928,320 bytes free

- - End Of File - - 7D233901F9AB97E43262D80ED0A46FF4







#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:12 PM

Posted 04 January 2011 - 05:08 PM

Hi-

Finally, we have a good ComboFix run. Now, we can move on.

We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, copy in the two OTL reports and let me know how the computer is behaving.
Shannon

#14 circusfrog

circusfrog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK.
  • Local time:01:12 AM

Posted 04 January 2011 - 07:05 PM

Hi,

Here are the two reports:

OTL logfile created on: 04/01/2011 23:44:03 - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = E:\Documents and Settings\Howard\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 126.96 Gb Total Space | 115.29 Gb Free Space | 90.81% Space Free | Partition Type: NTFS
Drive D: | 4.37 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 105.91 Gb Total Space | 60.72 Gb Free Space | 57.33% Space Free | Partition Type: NTFS
Drive F: | 3.76 Gb Total Space | 3.39 Gb Free Space | 90.09% Space Free | Partition Type: FAT32
Drive G: | 465.76 Gb Total Space | 432.58 Gb Free Space | 92.88% Space Free | Partition Type: NTFS

Computer Name: ANTEC | User Name: Howard | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/04 23:35:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Howard\Desktop\OTL.exe
PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/08/24 09:38:18 | 000,092,008 | ---- | M] (TomTom) -- E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/07/15 09:08:24 | 000,233,472 | ---- | M] (Teruten) -- E:\WINDOWS\system32\FsUsbExService.Exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\explorer.exe
PRC - [2007/07/12 00:22:00 | 000,135,168 | ---- | M] (Sun Microsystems, Inc.) -- E:\WINDOWS\system32\java.exe
PRC - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) -- E:\WINDOWS\system32\bgsvcgen.exe
PRC - [2006/12/19 14:06:00 | 000,086,016 | ---- | M] (McAfee, Inc.) -- E:\Program Files\McAfee\Common Framework\Mctray.exe
PRC - [2006/12/19 10:27:54 | 000,136,768 | ---- | M] (McAfee, Inc.) -- E:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2006/12/19 10:27:00 | 000,136,768 | ---- | M] (McAfee, Inc.) -- E:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2006/12/19 10:24:50 | 000,104,000 | ---- | M] (McAfee, Inc.) -- E:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2006/10/17 22:22:50 | 000,204,800 | ---- | M] () -- E:\FileTransfer\wrapper.exe
PRC - [2006/05/11 11:47:24 | 000,151,552 | ---- | M] (Intel Corporation) -- E:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/05/11 11:46:54 | 000,090,112 | ---- | M] (Intel Corporation) -- E:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2004/11/03 16:53:12 | 000,081,920 | ---- | M] (CyberLink Corp.) -- E:\Program Files\CyberLink\PowerCinema\PCMService.exe


========== Modules (SafeList) ==========

MOD - [2011/01/04 23:35:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Howard\Desktop\OTL.exe
MOD - [2010/09/18 06:53:25 | 000,974,848 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\mfc42.dll
MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/14 00:11:54 | 000,020,992 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\system32\hid.dll
MOD - [2004/11/03 16:41:52 | 000,049,152 | ---- | M] (CyberLink Corp.) -- E:\Program Files\CyberLink\Shared Files\CLRCEngine.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/08/24 09:38:18 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- E:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/08/10 12:34:40 | 000,093,848 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\RpcAgentSrv.exe -- (SandraAgentSrv)
SRV - [2009/07/15 09:08:24 | 000,233,472 | ---- | M] (Teruten) [Auto | Running] -- E:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- E:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) [Auto | Running] -- E:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2006/12/19 10:24:50 | 000,104,000 | ---- | M] (McAfee, Inc.) [Auto | Running] -- E:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2006/10/17 22:22:50 | 000,204,800 | ---- | M] () [Auto | Running] -- E:\FileTransfer\wrapper.exe -- (FileTransfer)
SRV - [2006/05/11 11:46:54 | 000,090,112 | ---- | M] (Intel Corporation) [Auto | Running] -- E:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2005/07/01 15:15:46 | 001,053,672 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe -- (SandraTheSrv)
SRV - [2005/07/01 15:11:52 | 000,173,040 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe -- (SandraDataSrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- E:\WINDOWS\System32\WNIPROT5.SYS -- (WNIPROT5)
DRV - File not found [Kernel | Auto | Stopped] -- E:\WINDOWS\System32\DRIVERS\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - File not found [Kernel | System | Stopped] -- E:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | On_Demand | Stopped] -- E:\DOCUME~1\Howard\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/07/09 22:38:00 | 010,604,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/08/07 22:46:56 | 000,023,112 | ---- | M] (SiSoftware) [Kernel | On_Demand | Stopped] -- E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\WNt500x86\sandra.sys -- (SANDRA)
DRV - [2009/07/15 09:08:24 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2009/04/23 21:21:48 | 000,004,501 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2008/04/13 18:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- E:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 16:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/06 08:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/09/17 15:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/07/03 16:58:20 | 000,106,792 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2007/07/03 16:57:24 | 000,011,944 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2007/07/03 16:54:24 | 000,080,552 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2007/04/03 12:57:52 | 000,098,696 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s116obex.sys -- (s116obex)
DRV - [2007/04/03 12:57:50 | 000,100,488 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s116mgmt.sys -- (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 12:57:48 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s116mdm.sys -- (s116mdm)
DRV - [2007/04/03 12:57:48 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s116mdfl.sys -- (s116mdfl)
DRV - [2007/04/03 12:57:42 | 000,083,336 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\s116bus.sys -- (s116bus) Sony Ericsson Device 116 driver (WDM)
DRV - [2007/01/19 19:35:05 | 000,646,392 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- E:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2006/08/11 13:47:13 | 000,059,776 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- E:\WINDOWS\System32\drivers\sfsync04.sys -- (sfsync04) StarForce Protection Synchronization Driver (version 4.x)
DRV - [2006/07/05 12:46:06 | 000,063,352 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- E:\WINDOWS\System32\drivers\sfdrv01a.sys -- (sfdrv01a) StarForce Protection Environment Driver (version 1.x.a)
DRV - [2006/06/14 17:12:13 | 000,078,184 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- E:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)
DRV - [2006/06/14 14:56:56 | 000,013,680 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- E:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2006/05/26 05:20:58 | 004,279,296 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/05/11 11:30:52 | 000,247,808 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- E:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2006/03/26 12:22:14 | 000,051,200 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- E:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2004/10/25 15:10:00 | 000,758,784 | R--- | M] (Airgo Networks, Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\wnihdd51.sys -- (Airgo)
DRV - [2003/02/12 14:29:30 | 000,166,272 | ---- | M] (Linksys Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2001/08/23 12:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- E:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2001/08/23 12:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- E:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001/08/17 12:53:32 | 000,003,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\qv2kux.sys -- (QV2KUX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1606980848-115176313-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
IE - HKU\S-1-5-21-1606980848-115176313-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: MapShare-status@tomtom.com:1.7
FF - prefs.js..extensions.enabledItems: baseTheme@tomtom.com:1.0.2


[2009/11/24 22:44:19 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Howard\Application Data\Mozilla\Extensions
[2009/11/24 22:44:19 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Howard\Application Data\Mozilla\Extensions\home2@tomtom.com
[2010/10/24 14:50:58 | 000,000,000 | ---D | M] (Map status indicator) -- E:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\MAPSHARE-STATUS@TOMTOM.COM

O1 HOSTS File: ([2010/12/18 23:07:23 | 000,001,723 | RHS- | M]) - E:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 209.97.213.114 www.google.com
O1 - Hosts: 209.97.213.114 google.com
O1 - Hosts: 209.97.213.114 google.com.au
O1 - Hosts: 209.97.213.114 www.google.com.au
O1 - Hosts: 209.97.213.114 google.be
O1 - Hosts: 209.97.213.114 www.google.be
O1 - Hosts: 209.97.213.114 google.com.br
O1 - Hosts: 209.97.213.114 www.google.com.br
O1 - Hosts: 209.97.213.114 google.ca
O1 - Hosts: 209.97.213.114 www.google.ca
O1 - Hosts: 209.97.213.114 google.ch
O1 - Hosts: 209.97.213.114 www.google.ch
O1 - Hosts: 209.97.213.114 google.de
O1 - Hosts: 209.97.213.114 www.google.de
O1 - Hosts: 209.97.213.114 google.dk
O1 - Hosts: 209.97.213.114 www.google.dk
O1 - Hosts: 209.97.213.114 google.fr
O1 - Hosts: 30 more lines...
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - E:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - E:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKU\S-1-5-21-1606980848-115176313-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1606980848-115176313-839522115-1003\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - E:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [CanonMyPrinter] E:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] E:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [IAAnotif] E:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IJNetworkScanUtility] E:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] E:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] E:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] E:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] E:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [PCMService] E:\Program Files\CyberLink\PowerCinema\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SkyTel] E:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-1606980848-115176313-839522115-1003..\Run: [TomTomHOME.exe] E:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O4 - Startup: E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk = E:\quickenw\BILLMIND.EXE (Intuit)
O4 - Startup: E:\Documents and Settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO 5.0 HD Edition.lnk = E:\Program Files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe (Panasonic Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1606980848-115176313-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1606980848-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1606980848-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1606980848-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - E:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - E:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1606980848-115176313-839522115-1003\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab (Bejeweled Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - E:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - E:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: E:\Documents and Settings\Howard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: E:\Documents and Settings\Howard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/23 02:09:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/01/03 16:03:14 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/01/03 16:03:14 | 000,000,000 | R--D | M] - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/01/03 15:17:24 | 000,000,000 | RHSD | M] - F:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2011/01/03 16:03:15 | 000,000,000 | R--D | M] - G:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/04 23:42:33 | 000,602,112 | ---- | C] (OldTimer Tools) -- E:\Documents and Settings\Howard\Desktop\OTL.exe
[2011/01/04 13:30:18 | 000,000,000 | ---D | C] -- E:\WINDOWS\temp
[2011/01/03 17:44:34 | 000,000,000 | ---D | C] -- E:\Config.Msi
[2011/01/03 16:03:14 | 000,000,000 | R--D | C] -- E:\autorun.inf
[2010/12/28 11:27:25 | 001,345,624 | ---- | C] (Kaspersky Lab ZAO) -- E:\Documents and Settings\Howard\Desktop\hyhy123.exe
[2010/12/28 11:26:42 | 001,345,624 | ---- | C] (Kaspersky Lab ZAO) -- E:\Documents and Settings\Howard\Desktop\tdsskiller.exe
[2010/12/27 17:42:54 | 000,212,480 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWXCACLS.exe
[2010/12/27 17:42:54 | 000,161,792 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWREG.exe
[2010/12/27 17:42:54 | 000,136,704 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWSC.exe
[2010/12/27 17:42:54 | 000,031,232 | ---- | C] (NirSoft) -- E:\WINDOWS\NIRCMD.exe
[2010/12/27 17:42:48 | 000,000,000 | ---D | C] -- E:\WINDOWS\ERDNT
[2010/12/27 17:42:23 | 000,000,000 | ---D | C] -- E:\Qoobox
[2010/12/27 16:23:08 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Howard\Application Data\Malwarebytes
[2010/12/27 16:22:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/27 16:22:53 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2010/12/27 16:22:53 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/12/27 16:22:50 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbam.sys
[2010/12/27 16:22:50 | 000,000,000 | ---D | C] -- E:\Program Files\Malwarebytes' Anti-Malware
[2010/12/27 16:17:55 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- E:\Documents and Settings\Howard\Desktop\mbam-setup-1.50.1.1100.exe
[2010/12/19 13:26:40 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Howard\Desktop\gmer
[2010/12/19 01:17:22 | 000,000,000 | -H-D | C] -- E:\WINDOWS\System32\GroupPolicy
[2010/12/18 23:06:08 | 000,000,000 | -HSD | C] -- E:\Documents and Settings\All Users\Application Data\IAKTHAHV
[2010/12/09 18:31:34 | 000,000,000 | ---D | C] -- E:\found.006
[48 E:\WINDOWS\System32\dllcache\*.tmp files -> E:\WINDOWS\System32\dllcache\*.tmp -> ]
[4 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[4 E:\Documents and Settings\All Users\Application Data\*.tmp files -> E:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/04 23:41:25 | 000,013,646 | ---- | M] () -- E:\WINDOWS\System32\wpa.dbl
[2011/01/04 23:41:25 | 000,000,880 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/01/04 23:40:30 | 000,002,048 | --S- | M] () -- E:\WINDOWS\bootstat.dat
[2011/01/04 23:35:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Howard\Desktop\OTL.exe
[2011/01/04 16:21:05 | 000,000,980 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-115176313-839522115-1003UA.job
[2011/01/04 16:18:05 | 000,000,884 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/01/04 15:21:00 | 000,000,928 | ---- | M] () -- E:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-115176313-839522115-1003Core.job
[2011/01/03 16:14:52 | 004,012,664 | R--- | M] () -- E:\Documents and Settings\Howard\Desktop\ComboFix.exe
[2011/01/03 15:16:02 | 000,132,597 | ---- | M] () -- E:\Documents and Settings\Howard\Desktop\Flash_Disinfector.exe
[2011/01/02 16:40:18 | 000,080,384 | ---- | M] () -- E:\Documents and Settings\Howard\Desktop\MBRCheck.exe
[2010/12/29 14:20:13 | 000,006,051 | ---- | M] () -- E:\Documents and Settings\Howard\Desktop\Attach.zip
[2010/12/28 11:22:28 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- E:\Documents and Settings\Howard\Desktop\tdsskiller.exe
[2010/12/28 11:22:28 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- E:\Documents and Settings\Howard\Desktop\hyhy123.exe
[2010/12/28 00:31:28 | 000,780,283 | ---- | M] () -- E:\Documents and Settings\Howard\Desktop\rkill.com
[2010/12/27 19:51:34 | 000,433,130 | ---- | M] () -- E:\WINDOWS\System32\perfh009.dat
[2010/12/27 19:51:34 | 000,067,768 | ---- | M] () -- E:\WINDOWS\System32\perfc009.dat
[2010/12/27 17:04:20 | 000,296,448 | ---- | M] () -- E:\Documents and Settings\Howard\Desktop\e8lkzpvb.exe
[2010/12/27 16:22:53 | 000,000,784 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/27 16:19:02 | 000,000,020 | ---- | M] () -- E:\Documents and Settings\Howard\defogger_reenable
[2010/12/27 16:14:52 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- E:\Documents and Settings\Howard\Desktop\mbam-setup-1.50.1.1100.exe
[2010/12/27 11:57:12 | 000,050,477 | ---- | M] () -- E:\Documents and Settings\Howard\Desktop\Defogger.exe
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- E:\WINDOWS\System32\drivers\mbam.sys
[2010/12/19 12:45:28 | 000,288,107 | ---- | M] () -- E:\Documents and Settings\Howard\Desktop\gmer.zip
[2010/12/19 02:07:24 | 000,624,128 | ---- | M] () -- E:\Documents and Settings\Howard\Desktop\dds.scr
[2010/12/19 01:26:38 | 000,000,008 | RHS- | M] () -- E:\Documents and Settings\Howard\ntuser.pol
[2010/12/18 23:51:36 | 000,082,432 | ---- | M] () -- E:\Documents and Settings\Howard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/18 23:07:23 | 000,001,723 | RHS- | M] () -- E:\WINDOWS\System32\drivers\etc\hosts
[2010/12/17 07:09:07 | 000,178,648 | ---- | M] () -- E:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/16 22:21:44 | 000,002,293 | ---- | M] () -- E:\Documents and Settings\Howard\Desktop\Google Chrome.lnk
[2010/12/16 22:21:44 | 000,002,271 | ---- | M] () -- E:\Documents and Settings\Howard\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/12/16 22:20:02 | 000,001,393 | ---- | M] () -- E:\WINDOWS\imsins.BAK
[48 E:\WINDOWS\System32\dllcache\*.tmp files -> E:\WINDOWS\System32\dllcache\*.tmp -> ]
[4 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp -> ]
[4 E:\Documents and Settings\All Users\Application Data\*.tmp files -> E:\Documents and Settings\All Users\Application Data\*.tmp -> ]
[1 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/03 16:02:56 | 000,132,597 | ---- | C] () -- E:\Documents and Settings\Howard\Desktop\Flash_Disinfector.exe
[2011/01/02 16:43:23 | 000,080,384 | ---- | C] () -- E:\Documents and Settings\Howard\Desktop\MBRCheck.exe
[2010/12/29 14:20:13 | 000,006,051 | ---- | C] () -- E:\Documents and Settings\Howard\Desktop\Attach.zip
[2010/12/29 00:29:15 | 000,000,338 | ---- | C] () -- E:\Documents and Settings\Howard\mbr.log
[2010/12/28 10:57:31 | 000,780,283 | ---- | C] () -- E:\Documents and Settings\Howard\Desktop\rkill.com
[2010/12/27 17:42:54 | 000,256,512 | ---- | C] () -- E:\WINDOWS\PEV.exe
[2010/12/27 17:42:54 | 000,098,816 | ---- | C] () -- E:\WINDOWS\sed.exe
[2010/12/27 17:42:54 | 000,089,088 | ---- | C] () -- E:\WINDOWS\MBR.exe
[2010/12/27 17:42:54 | 000,080,412 | ---- | C] () -- E:\WINDOWS\grep.exe
[2010/12/27 17:42:54 | 000,068,096 | ---- | C] () -- E:\WINDOWS\zip.exe
[2010/12/27 17:41:53 | 004,012,664 | R--- | C] () -- E:\Documents and Settings\Howard\Desktop\ComboFix.exe
[2010/12/27 17:09:54 | 000,296,448 | ---- | C] () -- E:\Documents and Settings\Howard\Desktop\e8lkzpvb.exe
[2010/12/27 16:22:53 | 000,000,784 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/27 16:18:51 | 000,000,020 | ---- | C] () -- E:\Documents and Settings\Howard\defogger_reenable
[2010/12/27 16:18:00 | 000,050,477 | ---- | C] () -- E:\Documents and Settings\Howard\Desktop\Defogger.exe
[2010/12/19 12:50:25 | 000,288,107 | ---- | C] () -- E:\Documents and Settings\Howard\Desktop\gmer.zip
[2010/12/19 02:16:41 | 000,624,128 | ---- | C] () -- E:\Documents and Settings\Howard\Desktop\dds.scr
[2010/12/19 01:25:29 | 000,000,008 | RHS- | C] () -- E:\Documents and Settings\Howard\ntuser.pol
[2010/11/25 17:33:49 | 000,000,097 | ---- | C] () -- E:\WINDOWS\System32\PICSDK.ini
[2010/08/30 15:12:20 | 012,959,744 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\sandra.mda
[2010/01/06 12:39:22 | 000,002,528 | ---- | C] () -- E:\Documents and Settings\Howard\Application Data\$_hpcst$.hpc
[2009/12/25 17:26:58 | 000,110,592 | ---- | C] () -- E:\WINDOWS\System32\FsUsbExDevice.Dll
[2009/12/25 17:26:58 | 000,036,608 | ---- | C] () -- E:\WINDOWS\System32\FsUsbExDisk.Sys
[2009/09/20 19:48:12 | 000,073,728 | ---- | C] () -- E:\WINDOWS\System32\Q_ENCLIB.DLL
[2009/09/20 19:48:12 | 000,040,960 | ---- | C] () -- E:\WINDOWS\System32\Q_ENCUTL.DLL
[2009/09/20 19:29:51 | 000,000,052 | ---- | C] () -- E:\WINDOWS\intuprof.ini
[2009/09/20 19:29:50 | 000,001,617 | ---- | C] () -- E:\WINDOWS\QUICKEN.INI
[2009/05/08 21:39:25 | 000,000,280 | ---- | C] () -- E:\WINDOWS\System32\epoPGPsdk.dll.sig
[2009/04/23 21:26:38 | 000,135,168 | R--- | C] () -- E:\WINDOWS\System32\RtlCPAPI.dll
[2009/04/01 18:38:55 | 000,032,397 | ---- | C] () -- E:\WINDOWS\SGTBox.INI
[2008/09/04 16:59:23 | 000,000,036 | ---- | C] () -- E:\WINDOWS\Tiny_Run.ini
[2008/08/03 17:14:05 | 000,001,468 | ---- | C] () -- E:\Documents and Settings\Howard\Local Settings\Application Data\FASTWiz.html
[2008/08/03 17:12:30 | 000,030,775 | ---- | C] () -- E:\Documents and Settings\Howard\Local Settings\Application Data\FASTWiz.log
[2008/01/01 12:27:47 | 000,000,035 | ---- | C] () -- E:\WINDOWS\A4W.INI
[2008/01/01 12:26:35 | 000,000,021 | ---- | C] () -- E:\WINDOWS\phbase.ini
[2008/01/01 12:24:55 | 000,000,572 | ---- | C] () -- E:\WINDOWS\maxlink.ini
[2008/01/01 12:23:55 | 000,000,022 | ---- | C] () -- E:\WINDOWS\OP70.INI
[2008/01/01 12:21:42 | 000,001,338 | ---- | C] () -- E:\WINDOWS\pstudio.ini
[2008/01/01 12:21:42 | 000,000,028 | ---- | C] () -- E:\WINDOWS\album.ini
[2008/01/01 12:21:42 | 000,000,021 | ---- | C] () -- E:\WINDOWS\Ps_setup.ini
[2007/12/31 15:00:48 | 000,000,021 | ---- | C] () -- E:\WINDOWS\CS_setup.ini
[2007/12/31 14:58:05 | 000,000,000 | ---- | C] () -- E:\WINDOWS\OpPrintServer.INI
[2007/12/31 14:07:57 | 000,000,376 | ---- | C] () -- E:\WINDOWS\ODBC.INI
[2007/10/25 17:26:10 | 000,005,632 | ---- | C] () -- E:\WINDOWS\System32\drivers\StarOpen.sys
[2007/01/02 01:50:48 | 000,082,432 | ---- | C] () -- E:\Documents and Settings\Howard\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/12/07 21:40:40 | 000,043,520 | ---- | C] () -- E:\WINDOWS\System32\CmdLineExt03.dll
[2006/12/07 21:03:18 | 000,021,840 | ---- | C] () -- E:\WINDOWS\System32\SIntfNT.dll
[2006/12/07 21:03:18 | 000,017,212 | ---- | C] () -- E:\WINDOWS\System32\SIntf32.dll
[2006/12/07 21:03:18 | 000,012,067 | ---- | C] () -- E:\WINDOWS\System32\SIntf16.dll
[2006/11/23 01:55:47 | 000,004,161 | ---- | C] () -- E:\WINDOWS\ODBCINST.INI
[2006/04/28 07:47:00 | 000,581,632 | ---- | C] () -- E:\WINDOWS\System32\nvhwvid.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> E:\Documents and Settings\All Users\Application Data\TEMP:8B4F37E5

< End of report >

___________________________________________________________________________________


OTL Extras logfile created on: 04/01/2011 23:44:03 - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = E:\Documents and Settings\Howard\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 126.96 Gb Total Space | 115.29 Gb Free Space | 90.81% Space Free | Partition Type: NTFS
Drive D: | 4.37 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 105.91 Gb Total Space | 60.72 Gb Free Space | 57.33% Space Free | Partition Type: NTFS
Drive F: | 3.76 Gb Total Space | 3.39 Gb Free Space | 90.09% Space Free | Partition Type: FAT32
Drive G: | 465.76 Gb Total Space | 432.58 Gb Free Space | 92.88% Space Free | Partition Type: NTFS

Computer Name: ANTEC | User Name: Howard | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\sandra.exe" = E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\sandra.exe:*:Enabled:SiSoftware Sandra Lite -- (SiSoftware)
"E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe" = E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite -- (SiSoftware)
"E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe" = E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe:*:Enabled:SiSoftware Sandra Lite -- (SiSoftware)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\Program Files\CA\eTrust Antivirus\InoNmSrv.exe" = E:\Program Files\CA\eTrust Antivirus\InoNmSrv.exe:*:Disabled:eTrust Antivirus - Admin Server -- (Computer Associates International, Inc.)
"E:\Program Files\Midway Games\Rise and Fall\RiseAndFall.exe" = E:\Program Files\Midway Games\Rise and Fall\RiseAndFall.exe:*:Enabled:Rise and Fall: Civilizations at War -- (Midway Home Entertainment)
"E:\Program Files\Microsoft Games\Rise of Nations\thrones.exe" = E:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations -- (Big Huge Games, Inc.)
"E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\sandra.exe" = E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\sandra.exe:*:Enabled:SiSoftware Sandra Lite -- (SiSoftware)
"E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe" = E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Lite -- (SiSoftware)
"E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe" = E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe:*:Enabled:SiSoftware Sandra Lite -- (SiSoftware)
"E:\Program Files\McAfee\Common Framework\FrameworkService.exe" = E:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"E:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe" = E:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server -- (PeeringPortal)
"E:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe" = E:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server -- (PeeringPortal)
"E:\Program Files\Nectar Search Toolbar\TroubleShooter.exe" = E:\Program Files\Nectar Search Toolbar\TroubleShooter.exe:*:Enabled:Nectar Search Toolbar (Helper) -- (FreeCause Inc.)
"E:\Program Files\Nectar Search Toolbar\ToolbarUpdate.exe" = E:\Program Files\Nectar Search Toolbar\ToolbarUpdate.exe:*:Enabled:Nectar Search Toolbar (Update) -- (FreeCause Inc.)
"E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\RpcAgentSrv.exe" = E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\RpcAgentSrv.exe:*:Enabled:SiSoftware Deployment Agent Service -- (SiSoftware)
"E:\Program Files\iTunes\iTunes.exe" = E:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\WNt500x86\RpcSandraSrv.exe" = E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\WNt500x86\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service -- (SiSoftware)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}" = Civilization III
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP640_series" = Canon MP640 series MP Drivers
"{14220DB1-DD96-4BCD-B3D5-03A4EA6631C4}" = RemoteCapture 2.7.5
"{171E6C1E-B5FC-11DF-B115-005056C00008}" = Google Earth Plug-in
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2236B741-6631-49AE-B76E-3E14CA01CC87}" = RemoteCapture Task
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = PowerCinema 3.0
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2D1C2321-8FDB-49B8-A66B-4008DC0B6B5D}" = File Viewer Utility 1.3.2
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{31E2413D-8AA1-43EC-8B8D-77B65ADA4611}" = Civilization III v1.29f
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{41888B21-922B-4241-4594-EF1E6828A72B}" = BBC iPlayer Desktop
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6A0DBAA6-4FEC-41B7-858E-99EF59B9173C}" = CIG
"{6DE13770-01B7-4366-8DA6-48237793F445}" = VoiceOver Kit
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{81D62C32-0984-11D3-86CD-00105AD33021}" = Caere Scan Manager 5.1
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{959282E3-55A9-49D8-B885-D27CF8A2FD82}" = PHOTOfunSTUDIO 5.0 HD Edition
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}" = Camera Window
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AD708DF0-9F04-4CB3-821A-85804A833B4D}" = ArcSoft Camera Suite
"{B332732A-4958-41DD-B439-DDA2D32753C5}" = McAfee Host Intrusion Prevention
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1" = SiSoftware Sandra Lite 2010.SP2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BB}" = WinZip 14.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D078226E-83F2-45FD-9CDE-5DA66E5ADB51}" = Rise and Fall
"{D2A0F8F4-CE50-4857-A21C-3061682B2E87}" = Sansa Media Converter
"{D8CE69B0-9274-4b8c-BA49-0FF6A20A3C65}" = SAMSUNG SYMBIAN USB Download Driver
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F11A403B-0DE9-4953-B790-7A2F014FBB2B}" = PhotoStitch
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}" = The Witcher Enhanced Edition
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = RAW Image Task
"3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.8
"ArcSoft PhotoBase" = ArcSoft PhotoBase
"ArcSoft PhotoStudio 2000" = ArcSoft PhotoStudio 2000
"Ashampoo Burning Studio 2010_is1" = Ashampoo Burning Studio 2010
"BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop
"Canon MP640 series User Registration" = Canon MP640 series User Registration
"Canon ScanGear Toolbox CS" = Canon ScanGear Toolbox CS 2.2
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"Dan Elwell's Broadband Speed Test_is1" = Dan Elwell's Broadband Speed Test
"Diablo II" = Diablo II
"DMIView" = DMIView
"E24870CB6AA1C3511635FF9020A3E9471287FBE7" = Windows Driver Package - MobileTop (sshpmdm) Modem (01/26/2008 2.6.0.0)
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"ie8" = Windows Internet Explorer 8
"InstallShield_{14220DB1-DD96-4BCD-B3D5-03A4EA6631C4}" = Canon Utilities RemoteCapture 2.7
"InstallShield_{2236B741-6631-49AE-B76E-3E14CA01CC87}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{2D1C2321-8FDB-49B8-A66B-4008DC0B6B5D}" = Canon Utilities File Viewer Utility 1.3
"InstallShield_{6A0DBAA6-4FEC-41B7-858E-99EF59B9173C}" = Canon Internet Library for ZoomBrowser EX
"InstallShield_{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{F11A403B-0DE9-4953-B790-7A2F014FBB2B}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"InstallShield_{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = Canon RAW Image Task for ZoomBrowser EX
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"OmniPagePro9.0DeinstKey" = OmniPage Pro 9.0
"PhotoRecord" = Canon PhotoRecord
"Quicken Deluxe 98" = Quicken Deluxe 98
"RiseOfNationsExpansion 1.0" = Rise of Nations
"SAMSUNG Mobile Composite Device" = SAMSUNG Mobile Composite Device Software
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"Samsung Mobile Modem Device" = Samsung Mobile Modem Device Software
"SAMSUNG Mobile Modem V2" = SAMSUNG Mobile Modem V2 Software
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SAMSUNG Mobile USB Modem 1.0" = SAMSUNG Mobile USB Modem 1.0 Software
"SAMSUNG USB Mobile Device" = SAMSUNG USB Mobile Device Software
"Shockwave" = Shockwave
"SiSoftware Sandra Lite 2005.SR2a_is1" = SiSoftware Sandra Lite 2005.SR2a (Win64/32/CE)
"SystemRequirementsLab" = System Requirements Lab
"TomTom HOME" = TomTom HOME 2.7.6.2056
"Ultimate Mahjongg 10" = Ultimate Mahjongg 10
"Veetle TV" = Veetle TV 0.9.18
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1606980848-115176313-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 18/12/2010 19:56:02 | Computer Name = ANTEC | Source = MsiInstaller | ID = 11920
Description = Product: McAfee VirusScan Enterprise -- Error 1920.Service McAfee
McShield (McShield) failed to start. Verify that you have sufficient privileges
to start system services.

Error - 18/12/2010 19:56:32 | Computer Name = ANTEC | Source = MsiInstaller | ID = 11920
Description = Product: McAfee VirusScan Enterprise -- Error 1920.Service McAfee
McShield (McShield) failed to start. Verify that you have sufficient privileges
to start system services.

Error - 18/12/2010 19:58:49 | Computer Name = ANTEC | Source = MsiInstaller | ID = 11920
Description = Product: McAfee VirusScan Enterprise -- Error 1920.Service McAfee
McShield (McShield) failed to start. Verify that you have sufficient privileges
to start system services.

Error - 18/12/2010 21:29:07 | Computer Name = ANTEC | Source = McLogEvent | ID = 259
Description =

Error - 18/12/2010 21:31:23 | Computer Name = ANTEC | Source = Application Hang | ID = 1002
Description = Hanging application ScnCfg32.Exe, version 8.5.0.781, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 19/12/2010 09:23:02 | Computer Name = ANTEC | Source = NTBackup | ID = 8001
Description = End Backup of 'E:' 'Warnings or errors were encountered.' Verify:
Off Mode: Append Type: Normal Consult the backup report for more details.

Error - 27/12/2010 12:54:04 | Computer Name = ANTEC | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.50.1.3, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 27/12/2010 20:16:55 | Computer Name = ANTEC | Source = McLogEvent | ID = 259
Description =

Error - 28/12/2010 00:14:16 | Computer Name = ANTEC | Source = McLogEvent | ID = 259
Description =

Error - 28/12/2010 20:40:14 | Computer Name = ANTEC | Source = McLogEvent | ID = 5051
Description =

[ System Events ]
Error - 04/01/2011 09:17:11 | Computer Name = ANTEC | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 04/01/2011 09:17:11 | Computer Name = ANTEC | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 04/01/2011 09:17:11 | Computer Name = ANTEC | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 04/01/2011 09:17:11 | Computer Name = ANTEC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 04/01/2011 09:17:28 | Computer Name = ANTEC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 04/01/2011 09:34:14 | Computer Name = ANTEC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 04/01/2011 09:37:10 | Computer Name = ANTEC | Source = Service Control Manager | ID = 7000
Description = The Security Services Driver (x86) service failed to start due to
the following error: %%2

Error - 04/01/2011 09:37:10 | Computer Name = ANTEC | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 04/01/2011 19:40:42 | Computer Name = ANTEC | Source = Service Control Manager | ID = 7000
Description = The Security Services Driver (x86) service failed to start due to
the following error: %%2

Error - 04/01/2011 19:40:42 | Computer Name = ANTEC | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126


< End of report >




#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:12 PM

Posted 05 January 2011 - 03:25 PM

Hi-

Thank you for the reports. You need to update some software and then we will do some more cleaning. In your reply, please let me know how your computer is doing.

Your Java runtimes are out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version here - Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "JDK 6 Update 23 (JRE) ...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.

Next, we need to run an OTL Fix.
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. 
O3 - HKU\S-1-5-21-1606980848-115176313-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. 
DRV - File not found [Kernel | On_Demand | Stopped] -- E:\WINDOWS\System32\WNIPROT5.SYS -- (WNIPROT5)
DRV - File not found [Kernel | Auto | Stopped] -- E:\WINDOWS\System32\DRIVERS\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - File not found [Kernel | System | Stopped] -- E:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
:commands
[resethosts]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

Then, please download Malwarebytes' Anti-Malware (MBAM) from HERE.

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

In your reply, please copy in the OTL Fix log and the MBAM report. Please also tell me how the computer is running now.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users