Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log


  • This topic is locked This topic is locked
14 replies to this topic

#1 Blatz

Blatz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:05:37 PM

Posted 29 December 2010 - 05:45 PM

Having some trouble with Computer slow downs, Web browser Malfunction, and Search engine redirects. I got rid of some stuff with Malewarebytes and AVG free but there is still something there. I have a Hijackthis log and I'm hoping someone can point out what I'm missing.

Attached Files


300 lives of men I have walked this earth and now? I have no time!

BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:37 PM

Posted 05 January 2011 - 11:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Blatz

Blatz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:05:37 PM

Posted 06 January 2011 - 12:16 AM

This is a computer I'm working on for a friend and not mine, It was experiencing search engine redirects and programs pretending to be antivirus. I've gotten rid of all the visible problems using Malewarebytes and Ccleaner but the computer still seems to be running very slow so I feel there might still be something.


DDS:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Timothy Zuk at 21:32:25.60 on Wed 01/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.402 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Security Antivirus *Enabled/Updated* {DE265DC5-B18D-4CE6-885B-E9373AADA5B0}
FW: Security Antivirus *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\AVG\AVG10\avgui.exe
C:\WINDOWS\system32\wuauclt.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=E5B6AAE001CAD33D07F323E9&src_id=11078&camp_id=782&tb_version=2.5.9000.490
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: ALOT Toolbar Helper: {14ceeaff-96dd-4101-ae37-d5ecdc23c3f6} - c:\program files\alot\bin\bho\alotBHO.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UMonit] c:\windows\system32\umonit.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\docume~1\timoth~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
IFEO: image file execution options - svchost.exe

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2007-5-24 231424]
S0 appofigt;appofigt;c:\windows\system32\drivers\fxdayfg.sys --> c:\windows\system32\drivers\fxdayfg.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-5 136176]
S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2009-1-28 6016]

=============== Created Last 30 ================

2010-12-30 21:38:33 23 --sha-w- c:\windows\system32\bbfafc_g.dll
2010-12-30 21:37:49 -------- d-----w- c:\program files\RegSupreme
2010-12-29 23:04:19 -------- d--h--w- C:\$AVG
2010-12-29 21:47:53 -------- d-----w- c:\windows\pss
2010-12-29 01:09:24 -------- d-----w- c:\docume~1\timoth~1\applic~1\AVG10
2010-12-29 00:52:21 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-29 00:31:16 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-29 00:27:05 -------- d-----w- c:\program files\AVG
2010-12-28 23:35:38 -------- d-----w- c:\program files\CCleaner
2010-12-28 20:57:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-28 19:39:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-24 14:34:16 -------- d-----w- c:\windows\system32\LogFiles
2010-12-10 20:48:24 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-12-10 20:43:03 -------- d-----w- c:\docume~1\timoth~1\applic~1\Malwarebytes
2010-12-10 20:14:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-10 20:14:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-10 20:14:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 20:14:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-08 10:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2100AT_PL rev.008300A1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85531555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x855377b0]; MOV EAX, [0x8553782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x85546AB8]
3 CLASSPNP[0xF7612FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000060[0x855A8458]
5 ACPI[0xF74A9620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x855CAD98]
\Driver\atapi[0x8556A420] -> IRP_MJ_CREATE -> 0x85531555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2100AT_PL____________________008300A1#5&1ca618f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8553139B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 21:35:03.87 ===============

Attached Files


300 lives of men I have walked this earth and now? I have no time!

#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:37 PM

Posted 07 January 2011 - 02:46 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please don't make any further changes or run any other tools unless instructed to. Additional changes may hinder the cleaning of your machine.

When asked to copy logs or reports into your reply, please copy them directly into your reply. Do not include them in quotes. Do not attach them unless asked to do so. In Notepad, please turn off Word Wrap under the Format menu.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Please give me some time to look over your log. I will post the reply as soon as possible.
Shannon

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:37 PM

Posted 07 January 2011 - 03:44 PM

Hi-

Thank you for the scans. They did show some problems and one was backdoor trojan. A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue with the cleanup -

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, please copy in the contents of ComboFix.txt report.

Thanks,
Shannon

#6 Blatz

Blatz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:05:37 PM

Posted 08 January 2011 - 02:06 AM

I would like to clean the computer as I don't have the resources to reformat it right now. The computer is not mine so I will contact the owner as soon as possible to warn them.


ComboFix 11-01-07.01 - Timothy Zuk 01/08/2011 0:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.623 [GMT -6:00]
Running from: c:\documents and settings\Timothy Zuk\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\af65fff
c:\documents and settings\All Users\Application Data\af65fff\6663.mof
c:\documents and settings\All Users\Application Data\af65fff\BackUp\HP Digital Imaging Monitor.lnk
c:\documents and settings\All Users\Application Data\af65fff\BackUp\HP Photosmart Premier Fast Start.lnk
c:\documents and settings\All Users\Application Data\af65fff\BackUp\McAfee Security Scan Plus.lnk
c:\documents and settings\All Users\Application Data\af65fff\BackUp\OneNote 2007 Screen Clipper and Launcher.lnk
c:\documents and settings\All Users\Application Data\af65fff\SAV.ico
c:\documents and settings\All Users\Application Data\af65fff\SAVSys\vd952342.bd
c:\documents and settings\Timothy Zuk\Application Data\alot
c:\documents and settings\Timothy Zuk\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\configurator\configurator.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\hideToolbarLayout\hideToolbarLayout.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\hideToolbarLayout\hideToolbarLayout.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\products\products.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\products\products.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_image_search.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_image_search.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_news_search.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_news_search.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_shop_search.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_shop_search.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_videos_search.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_videos_search.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_web_search.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_1\images\alot_web_search.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_2\images\alot_configure.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_2\images\alot_configure.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_201\images\default_2256_alot_fas_purse.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_201\images\default_2256_alot_fas_purse.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_3\images\1462_icon.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_4\images\2128_icon.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_5\images\4342_icon.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_6\images\default_1105_alot_recipe_videos.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_6\images\default_1105_alot_recipe_videos.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_7\images\2065_icon.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Button_8\images\2827_icon.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\contextMenu\images\alot_icon.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\discover.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\intro_popup.png
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\Timothy Zuk\Application Data\alot\SiteMetrics\SiteMetrics.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\SiteMetrics\SiteMetrics.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\toolbar.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\toolbar.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\alot\Updater\Updater.xml
c:\documents and settings\Timothy Zuk\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\Timothy Zuk\Application Data\completescan
c:\documents and settings\Timothy Zuk\Application Data\install
c:\program files\Shared
c:\windows\system32\bbfafc_g.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-12-08 to 2011-01-08 )))))))))))))))))))))))))))))))
.

2010-12-30 21:37 . 2010-12-30 21:38 -------- d-----w- c:\program files\RegSupreme
2010-12-29 23:04 . 2010-12-29 23:04 -------- d-----w- C:\$AVG
2010-12-29 01:09 . 2010-12-29 01:09 -------- d-----w- c:\documents and settings\Timothy Zuk\Application Data\AVG10
2010-12-29 00:52 . 2010-12-29 00:52 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-29 00:27 . 2010-12-29 00:27 -------- d-----w- c:\program files\AVG
2010-12-28 23:35 . 2010-12-28 23:35 -------- d-----w- c:\program files\CCleaner
2010-12-28 20:57 . 2011-01-08 05:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-28 19:39 . 2010-12-29 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-12-24 14:34 . 2010-12-24 14:34 -------- d-----w- c:\windows\system32\LogFiles
2010-12-11 13:32 . 2010-12-11 13:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-11 01:54 . 2010-12-11 01:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-12-10 20:48 . 2010-12-10 20:48 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-12-10 20:43 . 2010-12-10 20:43 -------- d-----w- c:\documents and settings\Timothy Zuk\Application Data\Malwarebytes
2010-12-10 20:14 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-10 20:14 . 2010-12-10 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-10 20:14 . 2010-12-28 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-10 20:14 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 19:50 . 2010-12-28 19:33 -------- d-----w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-09-06 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"UMonit"="c:\windows\system32\umonit.exe" [2004-01-05 53248]

c:\documents and settings\Timothy Zuk\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [5/24/2007 9:47 PM 231424]
S0 appofigt;appofigt;c:\windows\system32\drivers\fxdayfg.sys --> c:\windows\system32\drivers\fxdayfg.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2010 9:33 PM 136176]
S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [1/28/2009 6:59 AM 6016]
.
Contents of the 'Scheduled Tasks' folder

2010-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-06 03:33]

2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-06 03:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=E5B6AAE001CAD33D07F323E9&src_id=11078&camp_id=782&tb_version=2.5.9000.490
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-08 00:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?4?4?8??????? ???B?????????????hLC? ??????
UMonit = c:\windows\system32\umonit.exe?or.sys???8????????'m?8????'m?3?US????8???UB????????????????????????????A~?'??????????tq2?l??????|p??|????m??|??D~?????????'m?B$?|??B~??B~*?,??'m???????????????????????????????B~????????????tq2?????T?????2?????tq2???????8????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2100AT_PL rev.008300A1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8552E555]<<
c:\docume~1\TIMOTH~1\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x855347b0]; MOV EAX, [0x8553482c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x855CBAB8]
3 CLASSPNP[0xF7612FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000060[0x855623B8]
5 ACPI[0xF74A9620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x855CE940]
\Driver\atapi[0x85560328] -> IRP_MJ_CREATE -> 0x8552E555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2100AT_PL____________________008300A1#5&1ca618f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8552E39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(896)
c:\windows\system32\WININET.dll
.
Completion time: 2011-01-08 00:45:24
ComboFix-quarantined-files.txt 2011-01-08 06:45

Pre-Run: 79,114,391,552 bytes free
Post-Run: 80,525,185,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F838F431F1A19C1037128F5A5943313F
300 lives of men I have walked this earth and now? I have no time!

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:37 PM

Posted 08 January 2011 - 07:47 AM

Hi-

Thanks for the ComboFix log. It appears that there is still an infection that we need to go after.

First, please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Next, please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.

In your reply, please copy in the contents of the TDSSKiller report and the MBRCheck report. Please let me know how your computer is running now.

Thanks.
Shannon

#8 Blatz

Blatz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:05:37 PM

Posted 08 January 2011 - 08:24 AM

The computer is running faster and more smoothly. There doesn't seem to be any interference from malicious programs.


2011/01/08 07:06:05.0890 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/08 07:06:05.0890 ================================================================================
2011/01/08 07:06:05.0890 SystemInfo:
2011/01/08 07:06:05.0890
2011/01/08 07:06:05.0890 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/08 07:06:05.0890 Product type: Workstation
2011/01/08 07:06:05.0890 ComputerName: LAPTOP
2011/01/08 07:06:05.0890 UserName: Timothy Zuk
2011/01/08 07:06:05.0890 Windows directory: C:\WINDOWS
2011/01/08 07:06:05.0890 System windows directory: C:\WINDOWS
2011/01/08 07:06:05.0890 Processor architecture: Intel x86
2011/01/08 07:06:05.0890 Number of processors: 1
2011/01/08 07:06:05.0890 Page size: 0x1000
2011/01/08 07:06:05.0890 Boot type: Normal boot
2011/01/08 07:06:05.0890 ================================================================================
2011/01/08 07:06:07.0046 Initialize success
2011/01/08 07:06:19.0890 ================================================================================
2011/01/08 07:06:19.0890 Scan started
2011/01/08 07:06:19.0890 Mode: Manual;
2011/01/08 07:06:19.0890 ================================================================================
2011/01/08 07:06:22.0953 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/08 07:06:24.0015 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/01/08 07:06:25.0843 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/08 07:06:27.0078 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/08 07:06:31.0390 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/01/08 07:06:36.0500 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/08 07:06:37.0531 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/08 07:06:40.0734 ati2mtag (287b11a781f2b7a28f283fd4b7434daf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/08 07:06:41.0703 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/08 07:06:42.0625 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/08 07:06:43.0921 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/01/08 07:06:45.0296 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/08 07:06:46.0234 CAMCAUD (c2ef37f09cfee9665e6cd7c0b0afb84f) C:\WINDOWS\system32\drivers\camc6aud.sys
2011/01/08 07:06:47.0437 CAMCHALA (512df898de5c0654647acd5c82f0bd99) C:\WINDOWS\system32\drivers\camc6hal.sys
2011/01/08 07:06:48.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/08 07:06:50.0453 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/08 07:06:51.0375 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/08 07:06:52.0453 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/08 07:06:54.0234 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/08 07:06:56.0000 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/08 07:06:59.0390 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/08 07:07:01.0140 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/08 07:07:03.0187 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/08 07:07:04.0250 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/08 07:07:05.0218 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/08 07:07:07.0484 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/08 07:07:08.0781 eabfiltr (c6aca0190ee7b614673ee0c91863b1eb) C:\WINDOWS\system32\drivers\EABFiltr.sys
2011/01/08 07:07:10.0046 eabusb (da1011db09ad641de40cd5cca70c0c43) C:\WINDOWS\system32\drivers\eabusb.sys
2011/01/08 07:07:11.0140 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/08 07:07:12.0265 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/08 07:07:13.0234 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/08 07:07:14.0171 fixustor (cdb568db5e8985dcc623da808ac61042) C:\WINDOWS\system32\drivers\fixustor.sys
2011/01/08 07:07:15.0093 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/08 07:07:16.0125 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/08 07:07:17.0125 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/08 07:07:18.0187 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/08 07:07:20.0093 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/08 07:07:21.0968 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/01/08 07:07:22.0906 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/01/08 07:07:23.0828 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/01/08 07:07:25.0046 HSFHWATI (14794f142befc962ab142584607a6631) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
2011/01/08 07:07:27.0234 HSF_DP (f99bb4e2b462198b2b0a82d0949f0c41) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/01/08 07:07:29.0578 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/08 07:07:32.0437 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/08 07:07:33.0656 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/08 07:07:36.0640 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/08 07:07:37.0609 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/08 07:07:38.0531 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/08 07:07:39.0609 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/08 07:07:40.0734 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/08 07:07:41.0750 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/08 07:07:42.0671 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/08 07:07:43.0578 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/08 07:07:44.0671 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/08 07:07:45.0812 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/08 07:07:47.0671 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/01/08 07:07:48.0625 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/08 07:07:49.0531 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/08 07:07:50.0421 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/08 07:07:51.0343 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/08 07:07:53.0203 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/08 07:07:54.0750 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/08 07:07:56.0015 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/08 07:07:57.0015 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/08 07:07:57.0890 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/08 07:07:58.0765 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/08 07:07:59.0765 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/08 07:08:00.0953 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/08 07:08:02.0281 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/08 07:08:03.0359 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/08 07:08:04.0203 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/08 07:08:05.0203 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/08 07:08:06.0156 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/08 07:08:07.0093 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/08 07:08:08.0171 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/08 07:08:09.0343 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/08 07:08:10.0859 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/08 07:08:12.0296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/08 07:08:13.0203 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/08 07:08:14.0062 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/08 07:08:15.0093 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/01/08 07:08:16.0109 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/08 07:08:16.0984 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/08 07:08:17.0937 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/08 07:08:19.0750 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/08 07:08:20.0984 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/08 07:08:27.0015 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/08 07:08:28.0031 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/08 07:08:29.0031 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/08 07:08:29.0968 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/08 07:08:30.0859 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/08 07:08:35.0843 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/08 07:08:36.0843 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/08 07:08:37.0812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/08 07:08:38.0781 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/08 07:08:39.0875 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/08 07:08:40.0953 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/08 07:08:42.0031 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/08 07:08:43.0218 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/08 07:08:44.0359 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/08 07:08:45.0453 RTL8023xp (7889e3981e0a5d347e037abd467d53a5) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/01/08 07:08:46.0437 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/01/08 07:08:47.0390 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/08 07:08:48.0421 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/01/08 07:08:49.0390 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/08 07:08:52.0078 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/08 07:08:53.0109 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/08 07:08:54.0453 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/08 07:08:55.0796 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/08 07:08:56.0812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/08 07:09:01.0265 SynTP (f484c77f748729129d5cc9c965d9f701) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/01/08 07:09:02.0421 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/08 07:09:03.0906 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/08 07:09:05.0125 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/08 07:09:06.0031 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/08 07:09:07.0000 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/08 07:09:08.0812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/08 07:09:10.0984 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/08 07:09:12.0343 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/08 07:09:13.0328 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/08 07:09:14.0312 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/08 07:09:15.0234 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/08 07:09:16.0125 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/08 07:09:17.0046 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/08 07:09:17.0906 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/08 07:09:18.0828 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/08 07:09:20.0656 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/08 07:09:21.0703 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/08 07:09:23.0671 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/08 07:09:25.0437 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/01/08 07:09:27.0203 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/08 07:09:27.0390 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/08 07:09:27.0421 ================================================================================
2011/01/08 07:09:27.0421 Scan finished
2011/01/08 07:09:27.0421 ================================================================================
2011/01/08 07:09:27.0437 Detected object count: 1
2011/01/08 07:09:56.0906 \HardDisk0 - will be cured after reboot
2011/01/08 07:09:56.0906 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/08 07:10:01.0218 Deinitialize success









MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 116):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7AD2000 \WINDOWS\system32\KDCOM.DLL
0xF79E2000 \WINDOWS\system32\BOOTVID.dll
0xF74A3000 ACPI.sys
0xF7AD4000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7492000 pci.sys
0xF75D2000 isapnp.sys
0xF79E6000 compbatt.sys
0xF79EA000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B9A000 pciide.sys
0xF7852000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF75E2000 MountMgr.sys
0xF7473000 ftdisk.sys
0xF7AD6000 dmload.sys
0xF744D000 dmio.sys
0xF79EE000 ACPIEC.sys
0xF7B9B000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF785A000 PartMgr.sys
0xF75F2000 VolSnap.sys
0xF7435000 atapi.sys
0xF7602000 disk.sys
0xF7612000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7415000 fltmgr.sys
0xF7403000 sr.sys
0xF7862000 PxHelp20.sys
0xF73EC000 KSecDD.sys
0xF735F000 Ntfs.sys
0xF7332000 NDIS.sys
0xF7622000 Serial.sys
0xF7318000 Mup.sys
0xF7782000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF7AB2000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF715E000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF714A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF797A000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF7126000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7982000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7103000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77C2000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF798A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF70D4000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7AF4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7992000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7AB6000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF706C000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF7058000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF7002000 \SystemRoot\system32\drivers\camc6hal.sys
0xF77D2000 \SystemRoot\system32\drivers\camc6aud.sys
0xF6FDE000 \SystemRoot\system32\drivers\portcls.sys
0xF77E2000 \SystemRoot\system32\drivers\drmk.sys
0xF6FA5000 \SystemRoot\system32\DRIVERS\HSFHWATI.sys
0xF6EA8000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF6DF8000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF799A000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7C20000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77F2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7ABA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6DE1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7802000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7812000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF79A2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6DD0000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7822000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF79AA000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF79B2000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6DA0000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7832000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AFA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6D1A000 \SystemRoot\system32\DRIVERS\update.sys
0xF72E3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7662000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76C2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B28000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C40000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B2A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78AA000 \SystemRoot\System32\drivers\vga.sys
0xF7B2C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B2E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78B2000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78BA000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF72C7000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEEBFF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEEBA6000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEEB7E000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEEB5C000 \SystemRoot\System32\drivers\afd.sys
0xEEC42000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEEB31000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEEAC1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76B2000 \SystemRoot\System32\Drivers\Fips.SYS
0xEEA9B000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF76D2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7B34000 \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
0xF79C2000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xEEA4F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xEEA37000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B5E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6D98000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78C2000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C58000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF052000 \SystemRoot\System32\ati2cqag.dll
0xBF08C000 \SystemRoot\System32\atikvmag.dll
0xBF0C2000 \SystemRoot\System32\ati3duag.dll
0xBF323000 \SystemRoot\System32\ativvaxx.dll
0xB85CC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB8263000 \SystemRoot\system32\drivers\wdmaud.sys
0xB83C0000 \SystemRoot\system32\drivers\sysaudio.sys
0xB814D000 \SystemRoot\system32\drivers\kmixer.sys
0xB7F22000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB7CEA000 \SystemRoot\system32\DRIVERS\srv.sys
0xB7F12000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB79D9000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 45):
0 System Idle Process
4 System
728 C:\WINDOWS\system32\smss.exe
784 csrss.exe
840 C:\WINDOWS\system32\winlogon.exe
884 C:\WINDOWS\system32\services.exe
896 C:\WINDOWS\system32\lsass.exe
1048 C:\WINDOWS\system32\ati2evxx.exe
1064 C:\WINDOWS\system32\svchost.exe
1184 svchost.exe
1232 C:\WINDOWS\system32\svchost.exe
1296 svchost.exe
1432 svchost.exe
1804 C:\WINDOWS\system32\ati2evxx.exe
1908 C:\WINDOWS\explorer.exe
1968 C:\WINDOWS\system32\spoolsv.exe
1604 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1628 svchost.exe
1636 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
1684 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
1732 C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
1692 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1988 C:\Program Files\HP\QuickPlay\QPService.exe
2004 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
188 C:\Program Files\Bonjour\mDNSResponder.exe
224 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
512 C:\WINDOWS\system32\umonit.exe
508 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
596 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
616 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
644 C:\WINDOWS\system32\ctfmon.exe
528 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
168 C:\WINDOWS\system32\svchost.exe
180 wdfmgr.exe
1332 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
1592 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
1776 C:\WINDOWS\system32\wuauclt.exe
2220 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
2744 C:\WINDOWS\system32\wscntfy.exe
2756 C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
2804 wmiprvse.exe
2840 alg.exe
3044 wmiprvse.exe
3520 C:\PROGRA~1\HPQ\shared\HPQTOA~1.EXE
3732 C:\Documents and Settings\Timothy Zuk\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (FAT32)

PhysicalDrive0 Model Number: FUJITSUMHV2100ATPL, Rev: 008300A1
PhysicalDrive1 Model Number: SeagateFreeAgent Go, Rev: 0148

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
298 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
300 lives of men I have walked this earth and now? I have no time!

#9 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:37 PM

Posted 08 January 2011 - 10:38 AM

Hi-

TDSSKiller took out the main infection. Now it is time to do an update and check what other problems are left.

Your Java runtimes are out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version here - Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "JDK 6 Update 23 (JRE) ...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.

Next, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, please copy in the OTL reports.
Shannon

#10 Blatz

Blatz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:05:37 PM

Posted 08 January 2011 - 06:27 PM

Here you go,


OTL logfile created on: 1/8/2011 5:16:42 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Timothy Zuk\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 437.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 74.63 Gb Free Space | 80.12% Space Free | Partition Type: NTFS
Drive D: | 298.01 Gb Total Space | 131.71 Gb Free Space | 44.20% Space Free | Partition Type: FAT32

Computer Name: LAPTOP | User Name: Timothy Zuk | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/08 17:13:20 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\javaw.exe
PRC - [2011/01/08 16:52:47 | 080,029,464 | ---- | M] () -- C:\Documents and Settings\Timothy Zuk\Desktop\jdk-6u23-windows-i586.exe
PRC - [2011/01/08 16:50:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Timothy Zuk\Desktop\OTL.exe
PRC - [2010/09/05 21:33:40 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/13 18:12:40 | 000,358,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmic.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 18:12:14 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2005/12/22 09:57:10 | 000,405,504 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2005/12/08 14:45:12 | 000,516,182 | ---- | M] () -- C:\Program Files\HPQ\shared\HpqToaster.exe
PRC - [2005/09/24 01:42:32 | 000,475,136 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2004/01/05 09:59:06 | 000,053,248 | R--- | M] (General) -- C:\WINDOWS\system32\umonit.exe


========== Modules (SafeList) ==========

MOD - [2011/01/08 16:50:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Timothy Zuk\Desktop\OTL.exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\TIMOTH~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\fxdayfg.sys -- (appofigt)
DRV - [2005/11/28 03:35:38 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/11/10 16:51:00 | 001,396,224 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/30 05:11:00 | 000,078,720 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/08/22 03:06:00 | 001,035,008 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2005/08/22 03:06:00 | 000,718,464 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/08/22 03:06:00 | 000,231,424 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)
DRV - [2005/08/02 04:00:00 | 000,349,312 | R--- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/08/02 03:58:00 | 000,038,016 | R--- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2005/06/19 06:33:18 | 000,190,400 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/05/05 11:04:08 | 000,007,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/05/05 11:04:04 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/03/09 16:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/03 16:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/01/05 10:23:16 | 000,006,016 | R--- | M] (Genesys Logic) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fixustor.sys -- (fixustor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074



O1 HOSTS File: ([2011/01/08 00:38:15 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-436374069-1957994488-839522115-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe (General)
O4 - HKU\S-1-5-21-436374069-1957994488-839522115-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-436374069-1957994488-839522115-1003..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-436374069-1957994488-839522115-1003..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10k_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: DisableCAD = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-436374069-1957994488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-436374069-1957994488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-436374069-1957994488-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254 192.168.254.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Timothy Zuk\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Timothy Zuk\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/05/24 22:17:08 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/08 17:18:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/01/08 17:17:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/01/08 17:16:09 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2011/01/08 17:15:03 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/01/08 17:15:03 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/01/08 17:15:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/01/08 17:15:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/01/08 17:15:03 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/01/08 16:50:03 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Timothy Zuk\Desktop\OTL.exe
[2011/01/08 00:45:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/01/07 23:50:26 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/07 23:43:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/07 23:43:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/07 23:43:51 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/07 23:43:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/07 23:43:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/07 23:16:22 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/29 17:04:19 | 000,000,000 | ---D | C] -- C:\$AVG
[2010/12/29 15:47:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/12/28 19:09:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Timothy Zuk\Application Data\AVG10
[2010/12/28 18:52:21 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/12/28 18:27:05 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/12/28 17:54:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Timothy Zuk\Recent
[2010/12/28 14:57:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/12/28 13:39:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/12/24 14:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/12/24 14:45:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/12/24 08:34:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2010/12/20 20:46:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Timothy Zuk\Start Menu\Programs\Administrative Tools
[2010/12/16 09:47:52 | 001,345,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Timothy Zuk\Desktop\TDSSKiller.exe
[2010/12/11 07:32:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/12/10 19:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/12/10 19:54:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/12/10 19:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/12/10 14:48:24 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/12/10 14:43:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Timothy Zuk\Application Data\Malwarebytes
[2010/12/10 14:14:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/12/10 14:12:02 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/08 17:13:20 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/01/08 17:13:20 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/01/08 17:13:20 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/01/08 17:13:20 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/01/08 17:13:20 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/01/08 16:52:47 | 080,029,464 | ---- | M] () -- C:\Documents and Settings\Timothy Zuk\Desktop\jdk-6u23-windows-i586.exe
[2011/01/08 16:50:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Timothy Zuk\Desktop\OTL.exe
[2011/01/08 16:43:00 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/01/08 16:32:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/08 16:30:37 | 000,001,146 | -HS- | M] () -- C:\hpqp.ini
[2011/01/08 16:30:25 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini
[2011/01/08 16:29:28 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/01/08 16:28:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/08 16:28:40 | 937,676,800 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/08 06:56:36 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Timothy Zuk\Desktop\MBRCheck.exe
[2011/01/08 00:38:15 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/01/07 23:50:48 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/01/07 23:12:28 | 004,150,017 | R--- | M] () -- C:\Documents and Settings\Timothy Zuk\Desktop\ComboFix.exe
[2010/12/30 15:38:33 | 000,000,023 | ---- | M] () -- C:\WINDOWS\System32\dfcdbddbafe_g.ocx
[2010/12/29 15:17:10 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/12/29 15:12:03 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/16 09:47:52 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Timothy Zuk\Desktop\TDSSKiller.exe
[2010/12/11 11:40:46 | 000,380,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/12/11 11:40:46 | 000,053,166 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/12/10 19:43:03 | 000,014,739 | ---- | M] () -- C:\WINDOWS\System32\12543.js
[2010/12/10 14:49:27 | 000,000,008 | RHS- | M] () -- C:\Documents and Settings\Timothy Zuk\ntuser.pol
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/08 16:52:47 | 080,029,464 | ---- | C] () -- C:\Documents and Settings\Timothy Zuk\Desktop\jdk-6u23-windows-i586.exe
[2011/01/08 07:05:24 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Timothy Zuk\Desktop\MBRCheck.exe
[2011/01/07 23:50:48 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/01/07 23:50:40 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/01/07 23:43:51 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/07 23:43:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/07 23:43:51 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/07 23:43:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/07 23:43:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/07 23:14:24 | 004,150,017 | R--- | C] () -- C:\Documents and Settings\Timothy Zuk\Desktop\ComboFix.exe
[2010/12/30 15:38:33 | 000,000,023 | ---- | C] () -- C:\WINDOWS\System32\dfcdbddbafe_g.ocx
[2010/12/28 17:00:48 | 937,676,800 | -HS- | C] () -- C:\hiberfil.sys
[2010/12/10 19:43:03 | 000,014,739 | ---- | C] () -- C:\WINDOWS\System32\12543.js
[2010/12/10 14:49:19 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\Timothy Zuk\ntuser.pol
[2010/11/25 16:22:28 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Timothy Zuk\Application Data\start
[2010/03/13 08:17:10 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/01/28 06:59:51 | 000,000,703 | R--- | C] () -- C:\WINDOWS\System32\iconcfg.ini
[2009/01/27 22:38:29 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\ustor.dll
[2009/01/27 22:38:20 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\MapLine.dll
[2009/01/27 22:38:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\DMAPI.dll
[2009/01/27 22:38:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\At5MapBind.dll
[2009/01/27 22:38:20 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\Strcnvfn.dll
[2007/11/16 00:26:21 | 000,000,619 | ---- | C] () -- C:\Documents and Settings\Timothy Zuk\Application Data\Hewlett-PackardHP PSC 1400 series1193244517_UI.log
[2007/11/16 00:26:21 | 000,000,462 | ---- | C] () -- C:\Documents and Settings\Timothy Zuk\Application Data\Hewlett-PackardHP PSC 1400 series1193244517_PROTOCOL.log
[2007/11/16 00:26:21 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2007/11/16 00:26:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Timothy Zuk\Application Data\Hewlett-PackardHP PSC 1400 series1193244517_API.log
[2007/06/15 21:30:46 | 000,008,704 | ---- | C] () -- C:\Documents and Settings\Timothy Zuk\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/24 22:34:56 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Timothy Zuk\Local Settings\Application Data\fusioncache.dat
[2007/05/24 22:24:57 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/05/24 22:20:35 | 000,000,172 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2007/05/24 22:09:46 | 000,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2007/05/24 22:01:28 | 000,001,438 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/05/23 16:33:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/12/02 04:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2001/07/06 14:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57DC3B52

< End of report >




OTL Extras logfile created on: 1/8/2011 5:16:42 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Timothy Zuk\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 437.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 74.63 Gb Free Space | 80.12% Space Free | Partition Type: NTFS
Drive D: | 298.01 Gb Total Space | 131.71 Gb Free Space | 44.20% Space Free | Partition Type: FAT32

Computer Name: LAPTOP | User Name: Timothy Zuk | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00BA866C-F2A2-4BB9-A308-3DFA695B6F7C}" = Java DB 10.5.3.0
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{09D8492A-C8E2-421E-927D-46800FB327A3}" = Wireless Home Network Setup
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{193DB24F-9A66-4896-8404-22D53EA89075}" = 1400_Help
"{1CB34CE9-0E6B-493F-BB66-3425E5DF76E5}" = CP_CalendarTemplates1
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}" = CP_Package_Variety2
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations
"{266959FA-0AEE-41D0-A88E-F1EAC10A7C14}" = 1400
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 23
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{286F29AF-0BE2-4D5F-AB17-B7631A810553}" = muvee autoProducer 4.5
"{2A548002-9042-4083-A270-B67473DE1073}" = SkinsHP1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{32A3A4F4-B792-11D6-A78A-00B0D0160230}" = Java™ SE Development Kit 6 Update 23
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder
"{3999F9A3-FC50-4B8F-8001-5F7C43BA8AD9}" = MapCreate USA
"{3FE0CFAB-584A-4AA5-B8CD-C32284CFA308}" = RandMap
"{4041C245-7099-4C96-9738-5EBC23827B3C}" = BufferChm
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 C1
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 2.0
"{494D17B5-3369-4905-8C4B-80C972C5E0FF}" = CP_Panorama1Config
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4DA4012B-39AF-48c2-B23B-A4D570D233A6}" = cp_LightScribeConfig
"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}" = CP_Package_Variety1
"{52AE81CB-B786-490E-93CF-240A9891B392}" = HP User Guides 0025
"{52BDF21B-2E68-4792-87BE-F8A132D5FFD9}" = MapCreate USA
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{54F0998F-73C8-4b51-8286-FE903C231BED}" = cp_PosterPrintConfig
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{766633B3-1AFA-44B6-A3FC-1DE991CD9C52}" = CP_Package_Basic1
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{79F8E1D4-36C1-439C-95FA-F695050B5B07}" = Sonic_PrimoSDK
"{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}" = TIPCI
"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext
"{7F2F3F8B-2D57-48A3-99D0-1AC23D594C89}" = LightScribe 1.4.56.1
"{80AE27BA-B0ED-4288-A8B9-D8194BCF4115}" = cp_UpdateProjectsConfig
"{869C3062-4745-4949-B6C9-98AF24D89030}" = PhotoGallery
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{9D4ABB0C-F60B-44A6-956C-A4A63D5495C9}" = CueTour
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-0000-7EC8-7489-000000000603}" = Adobe Acrobat and Reader 6.0.3 Update
"{AC76BA86-0000-7EC8-7489-000000000604}" = Adobe Acrobat and Reader 6.0.4 Update
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{B11E71BA-498C-42D4-9F1A-9D7A89D9DA61}" = CP_AtenaShokunin1Config
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4BF87C8-3EEC-4774-82A2-584F109187B1}" = USB 2.0 MMC/SD Card Reader
"{B57F2FF0-5A25-4332-B503-4592B370C02F}" = CP_Package_Variety3
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{BBD3BF67-5B89-4CBB-BA58-5818ED5F3290}" = cp_OnlineProjectsConfig
"{BC96BBA7-C634-460E-AD18-A0A994213F80}" = HP User Guides--System Recovery
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C510CA36-98D6-4F07-8AFF-81E7399A075B}" = 1400Trb
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.20 G1
"{DED55AC6-A9ED-4596-BEF9-AE075B8FDAFA}" = MapCreate USA
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"{FC8D25A7-FF1B-41BB-BB3B-9A06C0A60AE0}" = InstantShareDevices
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"1C3FDBBA-EBF7-4CDB-AD8A-A1125734AF86" = Tradewinds from Hewlett-Packard Laptops (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"alotToolbar" = ALOT Toolbar
"ATI Display Driver" = ATI Display Driver
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_1002&DEV_4378" = Soft Data Fax Modem with SmartCP
"E332F38A-75F6-4EF2-88CC-246E8A1CB5D7" = Oasis from Hewlett-Packard Laptops (remove only)
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Game Console" = HP Game Console and games
"HP Imaging Device Functions" = HP Imaging Device Functions 6.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.0
"HP Rhapsody" = HP Rhapsody
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"HPExtendedCapabilities" = HP Extended Capabilities 5.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/13/2010 11:33:13 PM | Computer Name = LAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2010 11:33:45 PM | Computer Name = LAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2010 11:33:49 PM | Computer Name = LAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2010 11:33:53 PM | Computer Name = LAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2010 11:38:27 PM | Computer Name = LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

Error - 12/14/2010 10:35:37 PM | Computer Name = LAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 8.1.0.421, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/14/2010 11:14:31 PM | Computer Name = LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

Error - 12/15/2010 11:38:06 PM | Computer Name = LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

Error - 12/19/2010 9:26:29 PM | Computer Name = LAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 8.1.0.421, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/19/2010 10:27:10 PM | Computer Name = LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

[ System Events ]
Error - 1/8/2011 1:04:39 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the AVGIDSAgent service to
connect.

Error - 1/8/2011 1:04:39 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The AVGIDSAgent service failed to start due to the following error:
%%1053

Error - 1/8/2011 1:05:54 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi redbook

Error - 1/8/2011 1:10:22 AM | Computer Name = LAPTOP | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 1/8/2011 1:47:23 AM | Computer Name = LAPTOP | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.254.2 for the Network Card with network
address 0016D402E01B has been denied by the DHCP server 192.168.254.254 (The DHCP
Server sent a DHCPNACK message).

Error - 1/8/2011 2:01:20 AM | Computer Name = LAPTOP | Source = Tcpip | ID = 4198
Description = The system detected an address conflict for IP address 192.168.254.10
with the system having network hardware address 6E:F0:49:72:D6:A9. The local interface
has been disabled.

Error - 1/8/2011 2:01:29 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi redbook

Error - 1/8/2011 9:00:29 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi redbook

Error - 1/8/2011 9:15:43 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi redbook

Error - 1/8/2011 6:31:23 PM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Cdrom Imapi redbook


< End of report >
300 lives of men I have walked this earth and now? I have no time!

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:37 PM

Posted 09 January 2011 - 03:01 PM

Hi-

Thank you for the OTL reports.

We need to run an OTL Fix.
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
:OTL
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\fxdayfg.sys -- (appofigt)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074
[2010/12/30 15:38:33 | 000,000,023 | ---- | M] () -- C:\WINDOWS\System32\dfcdbddbafe_g.ocx
:commands
[emptytemp]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

Your Adobe Reader is out of date. You can download the latest version - Adobe Reader X

Next, please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

I'd like for you to scan your machine with ESET OnlineScan
  • Hold down Control key and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip the next two steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

In your reply, please copy in the OTL Fix, MBAM, and the ESET Online (if you get one) reports. Also. please tell me now your computer is running.
Shannon

#12 Blatz

Blatz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:05:37 PM

Posted 11 January 2011 - 06:32 AM

The computer is running really well. I'm not noticing anymore problems. Malware bytes didn't find anything so I'm not posting the log.



All processes killed
========== OTL ==========
Service appofigt stopped successfully!
Service appofigt deleted successfully!
File C:\WINDOWS\System32\drivers\fxdayfg.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_USERS\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\ deleted successfully.
HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\ not found.
HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-436374069-1957994488-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\WINDOWS\system32\dfcdbddbafe_g.ocx moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4131 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6881414 bytes
->Flash cache emptied: 47636 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4440198 bytes
->Java cache emptied: 18546 bytes
->Flash cache emptied: 15029 bytes

User: Timothy Zuk
->Temp folder emptied: 3104103 bytes
->Temporary Internet Files folder emptied: 791291 bytes
->Java cache emptied: 601736 bytes
->Apple Safari cache emptied: 14336 bytes
->Flash cache emptied: 1962805 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 663 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 19.00 mb


OTL by OldTimer - Version 3.2.20.1 log created on 01102011_122217

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Timothy Zuk\Local Settings\Temp\Perflib_Perfdata_eac.dat not found!

Registry entries deleted on Reboot...



ESET

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\af65fff\6663.mof.vir Win32/RogueAV.A trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A1351DCA-09D2-44D0-8DC0-BEC97257CADA}\RP367\A0050897.dll Win32/BHO.NMM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A1351DCA-09D2-44D0-8DC0-BEC97257CADA}\RP367\A0050901.dll Win32/BHO.NMM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A1351DCA-09D2-44D0-8DC0-BEC97257CADA}\RP367\A0050905.dll a variant of Win32/TrojanDownloader.Monkif.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A1351DCA-09D2-44D0-8DC0-BEC97257CADA}\RP375\A0061006.mof Win32/RogueAV.A trojan cleaned by deleting - quarantined
300 lives of men I have walked this earth and now? I have no time!

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:37 PM

Posted 11 January 2011 - 09:35 AM

Hi-

The OTL fix went fine and ESET Online found infections that were already moved out of the way. It is now time to clean our tools off your computer, and to leave you with some words of advice.

First, we will uninstall ComboFix
  • Click on the Start button in your system tray
  • click on Run
  • key in the following in bold type:
    • combofix /Uninstall
  • click on Ok

Next, we should remove the tools we used and we will do that with OTL-
  • Double click on the Posted Image icon on your desktop.
  • Click the "CleanUp" button.
  • Restart your computer when prompted.

Delete the TDSSKiller icons from your desktop.

Please take the time to read below to secure your machine and take the necessary steps to keep it clean.

One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a pop up appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop ups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a pop up that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period. Another recommended, and free, AntiSpyware program is Malwarebytes' Anti-Malware (MBAM).

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Update your Java runtimes regularly

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Download the latest version here - http://java.sun.com/javase/downloads/index.jsp. You want to select the JRE version.
Follow this list and your potential for being infected again will reduce dramatically.

Good Luck!!

Shannon

#14 Blatz

Blatz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:05:37 PM

Posted 11 January 2011 - 05:33 PM

Thanks for all the help, the computer is running great and everything looks good.
300 lives of men I have walked this earth and now? I have no time!

#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:37 PM

Posted 11 January 2011 - 06:35 PM

Take care and have a good new year!
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users