Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning: possible TDL3 rootkit infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 kevinapg

kevinapg

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 13 January 2011 - 04:34 PM

:hysterical: I clicked on something on a website and a red warning box (fake) popped with Microsoft Security Essentials. I didn't click anything and shut down, but it still got by Avast and infected my computer. Symptoms--Google redirects (sometimes locks up) when I try to go to a Microsoft website. Sometimes it redirects out of the blue. Downloaded Malwarebytes and ran scan-- didn't work. Downloaded super anti-spyware and it didn't work. Downloaded Microsoft security essentials (the real one)and ran scan-- it didn't work. Went to C:\Windows\System32\drivers\etc and found several additional host files and removed. Still had problem. Went back to look at host files and they changed back again. Removed additional hosts a second time and then found your website.

--------------
DDS (Ver_10-12-12.02) - NTFSx86
Run by Kevin Dickenson at 15:23:39.35 on Thu 01/13/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.169 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Norton Internet Worm Protection *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TetherBerry\TBService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Kevin Dickenson\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Kevin Dickenson\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\Kevin Dickenson\Desktop\Defogger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kevin Dickenson\Desktop\dds.scr
C:\WINDOWS\system32\dwwin.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/calendar/render?gsessionid=RIeY5xueGR-ECmApyD_HKA
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [wefi] c:\program files\wefi\\WeFi.exe
uRun: [SmileboxTray] "c:\documents and settings\kevin dickenson\application data\smilebox\SmileboxTray.exe"
uRun: [Google Update] "c:\documents and settings\kevin dickenson\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpqSRMon]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: MLXchange.com\rmlsfl
Trusted Zone: pbmls.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} - hxxp://rmlsfl.mlxchange.com/Control/FileCruiser.cab
DPF: {16FD824B-8E7B-11D2-9855-00802962956C} - hxxp://rmlsfl.mlxchange.com/Control/Specfile.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} - hxxp://prudential.truelogic.com.au/download/CfxIEAx.cab
DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} - hxxp://rmlsfl.mlxchange.com/Control/SISC.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {38DC7009-0D98-4B17-80E5-AD3DF79D3B9B} - hxxp://prudential.truelogic.com.au/CAB/TLOutlook.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://rmlsfl.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://rmlsfl.mlxchange.com/Control/MLXClientUtils.cab
DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} - hxxp://rmlsfl.mlxchange.com/Control/LiteGrid.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://rmlsfl.mlxchange.com/5.1.01.7036/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} - hxxp://200.9.36.138:82/wg_webeye.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://top5events.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} - hxxp://rmlsfl.mlxchange.com/Control/AspCustomCtrls.cab
DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} - hxxp://216.249.24.62/code/iPIX-ImageWell-ipix.cab
TCP: {CA312C74-3650-4BF4-AD53-19C639FA22E0} = 208.67.222.222,208.67.220.220
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {0E3C4A88-7C19-414E-9634-66AC13CB11F6} - c:\windows\system32\msiexec.exe /fu {0E3C4A88-7C19-414E-9634-66AC13CB11F6} /q

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-4-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-16 47640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-13 1247600]
R2 TetherBerry;TetherBerry;c:\program files\tetherberry\TBService.exe [2009-10-6 49040]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2009-10-6 45608]
S2 gupdate1c9f768ebf190ca;Google Update Service (gupdate1c9f768ebf190ca);c:\program files\google\update\GoogleUpdate.exe [2009-6-27 133104]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\kevind~1\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\kevind~1\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-01-11 14:19:04 -------- d-----w- c:\docume~1\kevind~2\applic~1\SUPERAntiSpyware.com
2011-01-11 14:19:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-11 14:18:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-09 22:48:28 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{40bcbcb2-5fe1-4cf1-a12d-5b3e1c5e5518}\mpengine.dll
2011-01-09 22:48:28 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-09 22:39:11 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-09 22:22:59 -------- d-----w- C:\dfbfffca94d20d861ddc4b2f6f694b87
2011-01-09 21:14:16 388096 ----a-r- c:\docume~1\kevind~2\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-01-09 21:14:15 -------- d-----w- c:\program files\Trend Micro
2011-01-09 18:45:02 -------- dc-h--w- c:\windows\ie8
2011-01-09 18:15:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-08 21:13:32 -------- d-----w- c:\docume~1\kevind~2\applic~1\Malwarebytes
2011-01-08 21:13:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 21:13:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-08 21:13:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 21:13:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-08 21:12:41 7734208 ----a-w- c:\program files\mbam-setup.exe
2011-01-08 20:51:23 401720 ----a-w- c:\program files\iexplore.exe
2011-01-02 23:22:38 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-02 23:22:38 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-26 00:53:21 -------- d-----w- c:\docume~1\kevind~2\locals~1\applic~1\Smilebox
2010-12-15 19:10:08 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 18:59:39 45568 ------w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-12-06 23:10:38 256 ----a-w- c:\windows\system32\pool.bin
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-07 01:02:44 7554116 ----a-w- c:\program files\mod-converter-82376.exe
2010-08-02 22:05:25 8177088 ----a-w- c:\program files\Vuze_Installer.exe
2010-08-02 18:57:25 96962344 ----a-w- c:\program files\iTunesSetup.exe
2010-07-15 03:02:30 584736 ----a-w- c:\program files\RealPlayerSPGold.exe
2009-05-18 22:38:57 23510720 ----a-w- c:\program files\dotnetfx.exe
2009-01-13 15:40:30 386560 ----a-w- c:\program files\justzipit
2008-12-27 22:04:57 342437920 ----a-w- c:\program files\AcroPro90_efg.exe
2008-03-23 19:10:23 407680 ----a-w- c:\program files\aswclnr.exe
2008-03-23 16:25:25 19890888 ----a-w- c:\program files\setupeng.exe
2008-02-19 22:51:56 28868320 ----a-w- c:\program files\FileFormatConverters.exe
2008-02-19 22:45:59 1454656 ----a-w- c:\program files\Silverlight.exe
2007-03-13 17:53:02 3842152 ----a-w- c:\program files\msgrplus.exe
2006-12-12 14:42:13 14879120 ----a-w- c:\program files\GoogleEarthWin.exe
2006-09-29 16:00:16 1803952 ----a-w- c:\program files\KODAK EASYSHARE Gallery Upload Software, V2.1.exe
2004-08-10 03:30:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541080G9AT00 rev.MB4OA60A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87121555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x871277b0]; MOV EAX, [0x8712782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x87139AB8]
3 CLASSPNP[0xF75D2FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000077[0x871D33B8]
5 ACPI[0xF7469620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8717AD98]
\Driver\atapi[0x870E8F38] -> IRP_MJ_CREATE -> 0x87121555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS541080G9AT00_________________________MB4OA60A#5&38ffc550&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8712139B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 15:27:34.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:27 PM

Posted 17 January 2011 - 02:50 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a log from the GMER anti-rootkit scanner, but, first, we need to disable your CD Emulation drivers.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next, please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Once you have the above logs, click on the Add Reply button below, copy in the DDS log, and include the Attach.txt and the GMER log as attachments. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 kevinapg

kevinapg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 18 January 2011 - 08:13 PM

Hey Shannon2012:

I followed the exact same procedure with the original post above. I ran it again and DDS results are pasted below. The only new symptom is a recurring "Generic Host Process Win 32 Services" error. If I click the box to report (or not report) the error, the computer hangs up.

--------------

DDS (Ver_10-12-12.02) - NTFSx86
Run by Kevin Dickenson at 18:51:47.06 on Tue 01/18/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.262 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Norton Internet Worm Protection *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TetherBerry\TBService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Kevin Dickenson\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Documents and Settings\Kevin Dickenson\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\Kevin Dickenson\Desktop\Bleeping Computer Kevinapg\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/calendar/render?gsessionid=RIeY5xueGR-ECmApyD_HKA
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [wefi] c:\program files\wefi\\WeFi.exe
uRun: [SmileboxTray] "c:\documents and settings\kevin dickenson\application data\smilebox\SmileboxTray.exe"
uRun: [Google Update] "c:\documents and settings\kevin dickenson\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpqSRMon]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: MLXchange.com\rmlsfl
Trusted Zone: pbmls.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} - hxxp://rmlsfl.mlxchange.com/Control/FileCruiser.cab
DPF: {16FD824B-8E7B-11D2-9855-00802962956C} - hxxp://rmlsfl.mlxchange.com/Control/Specfile.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} - hxxp://prudential.truelogic.com.au/download/CfxIEAx.cab
DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} - hxxp://rmlsfl.mlxchange.com/Control/SISC.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {38DC7009-0D98-4B17-80E5-AD3DF79D3B9B} - hxxp://prudential.truelogic.com.au/CAB/TLOutlook.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://rmlsfl.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://rmlsfl.mlxchange.com/Control/MLXClientUtils.cab
DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} - hxxp://rmlsfl.mlxchange.com/Control/LiteGrid.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://rmlsfl.mlxchange.com/5.1.01.7036/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} - hxxp://200.9.36.138:82/wg_webeye.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://top5events.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} - hxxp://rmlsfl.mlxchange.com/Control/AspCustomCtrls.cab
DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} - hxxp://216.249.24.62/code/iPIX-ImageWell-ipix.cab
TCP: {CA312C74-3650-4BF4-AD53-19C639FA22E0} = 208.67.222.222,208.67.220.220
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {0E3C4A88-7C19-414E-9634-66AC13CB11F6} - c:\windows\system32\msiexec.exe /fu {0E3C4A88-7C19-414E-9634-66AC13CB11F6} /q

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-4-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-16 47640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-13 1247600]
R2 TetherBerry;TetherBerry;c:\program files\tetherberry\TBService.exe [2009-10-6 49040]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2009-10-6 45608]
S2 gupdate1c9f768ebf190ca;Google Update Service (gupdate1c9f768ebf190ca);c:\program files\google\update\GoogleUpdate.exe [2009-6-27 133104]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\kevind~1\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\kevind~1\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2011-01-17 13:58:40 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-01-17 13:58:27 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8b30398e-f50c-4939-83f7-bfe734d2d8fe}\mpengine.dll
2011-01-11 14:19:04 -------- d-----w- c:\docume~1\kevind~2\applic~1\SUPERAntiSpyware.com
2011-01-11 14:19:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-11 14:18:32 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-09 22:48:28 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-09 22:39:11 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-09 22:22:59 -------- d-----w- C:\dfbfffca94d20d861ddc4b2f6f694b87
2011-01-09 21:14:16 388096 ----a-r- c:\docume~1\kevind~2\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-01-09 21:14:15 -------- d-----w- c:\program files\Trend Micro
2011-01-09 18:45:02 -------- dc-h--w- c:\windows\ie8
2011-01-09 18:15:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-08 21:13:32 -------- d-----w- c:\docume~1\kevind~2\applic~1\Malwarebytes
2011-01-08 21:13:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 21:13:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-08 21:13:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-08 21:13:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-08 21:12:41 7734208 ----a-w- c:\program files\mbam-setup.exe
2011-01-08 20:51:23 401720 ----a-w- c:\program files\iexplore.exe
2011-01-02 23:22:38 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-02 23:22:38 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-26 00:53:21 -------- d-----w- c:\docume~1\kevind~2\locals~1\applic~1\Smilebox

==================== Find3M ====================

2010-12-06 23:10:38 256 ----a-w- c:\windows\system32\pool.bin
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-07 01:02:44 7554116 ----a-w- c:\program files\mod-converter-82376.exe
2010-08-02 22:05:25 8177088 ----a-w- c:\program files\Vuze_Installer.exe
2010-08-02 18:57:25 96962344 ----a-w- c:\program files\iTunesSetup.exe
2010-07-15 03:02:30 584736 ----a-w- c:\program files\RealPlayerSPGold.exe
2009-05-18 22:38:57 23510720 ----a-w- c:\program files\dotnetfx.exe
2009-01-13 15:40:30 386560 ----a-w- c:\program files\justzipit
2008-12-27 22:04:57 342437920 ----a-w- c:\program files\AcroPro90_efg.exe
2008-03-23 19:10:23 407680 ----a-w- c:\program files\aswclnr.exe
2008-03-23 16:25:25 19890888 ----a-w- c:\program files\setupeng.exe
2008-02-19 22:51:56 28868320 ----a-w- c:\program files\FileFormatConverters.exe
2008-02-19 22:45:59 1454656 ----a-w- c:\program files\Silverlight.exe
2007-03-13 17:53:02 3842152 ----a-w- c:\program files\msgrplus.exe
2006-12-12 14:42:13 14879120 ----a-w- c:\program files\GoogleEarthWin.exe
2006-09-29 16:00:16 1803952 ----a-w- c:\program files\KODAK EASYSHARE Gallery Upload Software, V2.1.exe
2004-08-10 03:30:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541080G9AT00 rev.MB4OA60A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87121555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x871277b0]; MOV EAX, [0x8712782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x87139AB8]
3 CLASSPNP[0xF75D2FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000077[0x871D33B8]
5 ACPI[0xF7469620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8717AD98]
\Driver\atapi[0x870E8F38] -> IRP_MJ_CREATE -> 0x87121555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS541080G9AT00_________________________MB4OA60A#5&38ffc550&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8712139B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:55:15.92 ===============

Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:27 PM

Posted 19 January 2011 - 04:37 PM

Hi-

Thank for all the reports. They did show some problems and one was backdoor trojan. A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue with the cleanup -

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

In your reply, please copy in the contents of the TDSSKillerreport.
Shannon

#5 kevinapg

kevinapg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 19 January 2011 - 05:06 PM

I do have the program "Log Me In" on my computer because that's how my computer guy gains access. Is this what you saw?

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:27 PM

Posted 19 January 2011 - 05:22 PM

Hi-

No, I saw the Log Me In, but that is not the problem. The TDL3 rootkit is the problem.
Shannon

#7 kevinapg

kevinapg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 19 January 2011 - 06:15 PM

TDSSKiller found it and removed. see log below
Sounds pretty dangerous. What do you think-- clean the drive?
------------
2011/01/19 17:19:00.0734 TDSS rootkit removing tool 2.4.14.0 Jan 18 2011 09:33:51
2011/01/19 17:19:00.0734 ================================================================================
2011/01/19 17:19:00.0734 SystemInfo:
2011/01/19 17:19:00.0734
2011/01/19 17:19:00.0734 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/19 17:19:00.0734 Product type: Workstation
2011/01/19 17:19:00.0734 ComputerName: LAPTOP
2011/01/19 17:19:00.0734 UserName: Kevin Dickenson
2011/01/19 17:19:00.0734 Windows directory: C:\WINDOWS
2011/01/19 17:19:00.0734 System windows directory: C:\WINDOWS
2011/01/19 17:19:00.0734 Processor architecture: Intel x86
2011/01/19 17:19:00.0734 Number of processors: 1
2011/01/19 17:19:00.0734 Page size: 0x1000
2011/01/19 17:19:00.0734 Boot type: Normal boot
2011/01/19 17:19:00.0734 ================================================================================
2011/01/19 17:19:01.0359 Initialize success
2011/01/19 17:19:04.0359 ================================================================================
2011/01/19 17:19:04.0359 Scan started
2011/01/19 17:19:04.0359 Mode: Manual;
2011/01/19 17:19:04.0359 ================================================================================
2011/01/19 17:19:05.0468 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/19 17:19:05.0531 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/01/19 17:19:05.0625 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/19 17:19:05.0703 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/19 17:19:05.0875 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/01/19 17:19:05.0953 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/01/19 17:19:06.0046 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/19 17:19:06.0234 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/19 17:19:06.0281 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/19 17:19:06.0531 ati2mtag (287b11a781f2b7a28f283fd4b7434daf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/19 17:19:07.0062 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/19 17:19:07.0156 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/19 17:19:07.0234 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/01/19 17:19:07.0312 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/19 17:19:07.0421 BTWUSB (e76dc88f00d50f46072feb2371769978) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/01/19 17:19:07.0531 CAMCAUD (c2ef37f09cfee9665e6cd7c0b0afb84f) C:\WINDOWS\system32\drivers\camc6aud.sys
2011/01/19 17:19:07.0609 CAMCHALA (512df898de5c0654647acd5c82f0bd99) C:\WINDOWS\system32\drivers\camc6hal.sys
2011/01/19 17:19:07.0703 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/19 17:19:07.0796 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/19 17:19:07.0859 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/19 17:19:07.0953 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/19 17:19:08.0203 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/19 17:19:08.0296 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/19 17:19:08.0500 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/19 17:19:08.0593 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/19 17:19:08.0671 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/19 17:19:08.0718 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/19 17:19:08.0812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/19 17:19:09.0062 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/19 17:19:09.0140 eabfiltr (c6aca0190ee7b614673ee0c91863b1eb) C:\WINDOWS\system32\drivers\EABFiltr.sys
2011/01/19 17:19:09.0187 eabusb (da1011db09ad641de40cd5cca70c0c43) C:\WINDOWS\system32\drivers\eabusb.sys
2011/01/19 17:19:09.0265 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/19 17:19:09.0343 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/19 17:19:09.0390 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/19 17:19:09.0421 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/19 17:19:09.0484 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/19 17:19:09.0531 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/19 17:19:09.0578 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/19 17:19:09.0640 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/19 17:19:09.0703 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/19 17:19:09.0796 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/19 17:19:10.0031 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/01/19 17:19:10.0093 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/01/19 17:19:10.0156 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/01/19 17:19:10.0218 HSFHWATI (14794f142befc962ab142584607a6631) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
2011/01/19 17:19:10.0359 HSF_DP (f99bb4e2b462198b2b0a82d0949f0c41) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/01/19 17:19:10.0546 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/19 17:19:10.0703 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/19 17:19:10.0781 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/19 17:19:10.0921 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/19 17:19:11.0000 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/19 17:19:11.0062 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/19 17:19:11.0109 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/19 17:19:11.0265 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/19 17:19:11.0328 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/19 17:19:11.0390 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/19 17:19:11.0437 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/19 17:19:11.0484 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/19 17:19:11.0515 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/19 17:19:11.0578 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/19 17:19:11.0656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/19 17:19:11.0875 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/01/19 17:19:11.0968 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/01/19 17:19:12.0046 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/01/19 17:19:12.0203 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/01/19 17:19:12.0281 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/01/19 17:19:12.0343 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/19 17:19:12.0406 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/19 17:19:12.0468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/19 17:19:12.0515 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/19 17:19:12.0546 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/19 17:19:12.0640 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/01/19 17:19:12.0750 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/19 17:19:12.0843 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/19 17:19:13.0062 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/19 17:19:13.0125 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/19 17:19:13.0187 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/19 17:19:13.0234 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/19 17:19:13.0296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/19 17:19:13.0328 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/19 17:19:13.0390 MXOFX (ca68234d644aca94e7de0c90d2142f9d) C:\WINDOWS\system32\DRIVERS\MXOFX.SYS
2011/01/19 17:19:13.0468 MXOPSWD (e3dec7ca28a9870e24fff4e467af7328) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
2011/01/19 17:19:13.0531 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/19 17:19:13.0578 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/19 17:19:13.0625 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/19 17:19:13.0671 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/19 17:19:13.0718 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/19 17:19:13.0890 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/19 17:19:13.0968 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/19 17:19:14.0078 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/19 17:19:14.0171 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/19 17:19:14.0234 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/19 17:19:14.0343 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/19 17:19:14.0421 NWADI (0973c0c696780161f4526586d5eac422) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
2011/01/19 17:19:14.0562 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/19 17:19:14.0609 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/19 17:19:14.0656 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/19 17:19:14.0718 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/01/19 17:19:14.0765 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/19 17:19:14.0828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/19 17:19:14.0875 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
2011/01/19 17:19:14.0953 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/19 17:19:15.0031 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/19 17:19:15.0390 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/01/19 17:19:15.0765 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2011/01/19 17:19:15.0875 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/19 17:19:15.0953 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/19 17:19:16.0015 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/19 17:19:16.0156 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/19 17:19:16.0406 qrkis (3b68696914e467bbe827d2552b5b85ef) C:\WINDOWS\system32\DRIVERS\qrkis.sys
2011/01/19 17:19:16.0437 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/19 17:19:16.0500 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/19 17:19:16.0546 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/19 17:19:16.0593 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/19 17:19:16.0640 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/19 17:19:16.0703 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/19 17:19:16.0750 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/19 17:19:16.0828 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/19 17:19:17.0031 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/19 17:19:17.0109 RimSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/01/19 17:19:17.0171 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/01/19 17:19:17.0203 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/01/19 17:19:17.0250 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/01/19 17:19:17.0343 RTL8023xp (7889e3981e0a5d347e037abd467d53a5) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/01/19 17:19:17.0421 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/01/19 17:19:17.0484 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/01/19 17:19:17.0546 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/19 17:19:17.0625 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/01/19 17:19:17.0687 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/19 17:19:17.0953 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/19 17:19:18.0015 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/19 17:19:18.0109 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/19 17:19:18.0171 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/19 17:19:18.0234 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/19 17:19:18.0296 swmsflt (e6c797b33a454840245c0c96e7f08b0a) C:\WINDOWS\System32\drivers\swmsflt.sys
2011/01/19 17:19:18.0484 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
2011/01/19 17:19:18.0718 SynTP (f484c77f748729129d5cc9c965d9f701) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/01/19 17:19:18.0796 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/19 17:19:18.0906 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/19 17:19:18.0968 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/19 17:19:19.0031 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/19 17:19:19.0078 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/19 17:19:19.0187 tifm21 (9179e07503630d6fb2e4162ff0196191) C:\WINDOWS\system32\drivers\tifm21.sys
2011/01/19 17:19:19.0312 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/19 17:19:19.0421 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/19 17:19:19.0609 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/19 17:19:19.0671 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/19 17:19:19.0734 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/19 17:19:19.0781 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/19 17:19:19.0812 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/19 17:19:19.0890 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/19 17:19:19.0937 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/19 17:19:19.0984 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/19 17:19:20.0031 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/19 17:19:20.0093 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/01/19 17:19:20.0140 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/19 17:19:20.0203 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/19 17:19:20.0296 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/19 17:19:20.0375 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/01/19 17:19:20.0625 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/19 17:19:20.0734 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/19 17:19:20.0781 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/19 17:19:20.0875 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/19 17:19:20.0890 ================================================================================
2011/01/19 17:19:20.0890 Scan finished
2011/01/19 17:19:20.0890 ================================================================================
2011/01/19 17:19:20.0906 Detected object count: 1
2011/01/19 17:19:45.0234 \HardDisk0 - will be cured after reboot
2011/01/19 17:19:45.0234 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/19 17:19:47.0703 Deinitialize success

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:27 PM

Posted 20 January 2011 - 11:52 AM

Hi-

It looks like TDSSKiller took care of the main infection. Now let's see what else is there.

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Next, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, please copy in the contents of the ComboFix report and the two OTL reports. How is your computer doing now?
Shannon

#9 kevinapg

kevinapg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 23 January 2011 - 09:52 AM

Combofix Log Below:

ComboFix 11-01-22.03 - Kevin Dickenson 01/23/2011 9:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.522 [GMT -5:00]
Running from: c:\documents and settings\Kevin Dickenson\Desktop\Bleeping Computer Kevinapg\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kevin Dickenson\Desktop\Translator.url
c:\documents and settings\Kevin Dickenson\g2mdlhlpx.exe
C:\install.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-12-23 to 2011-01-23 )))))))))))))))))))))))))))))))
.

2011-01-23 13:57 . 2011-01-23 13:57 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CAD9C4D0-AE7A-49C4-98BB-756E7CC260A8}\MpKslb29b9380.sys
2011-01-23 00:56 . 2011-01-23 00:56 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CAD9C4D0-AE7A-49C4-98BB-756E7CC260A8}\MpKslfe2a1520.sys
2011-01-22 22:32 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CAD9C4D0-AE7A-49C4-98BB-756E7CC260A8}\mpengine.dll
2011-01-22 22:12 . 2011-01-22 22:12 -------- d-----w- c:\program files\Adobe Media Player
2011-01-22 22:09 . 2011-01-22 22:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-21 19:12 . 2011-01-21 19:12 -------- d-----w- c:\program files\Common Files\TiVo Shared
2011-01-17 13:58 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-11 14:19 . 2011-01-11 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-01-11 11:39 . 2011-01-11 11:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-11 04:06 . 2011-01-11 04:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-01-11 04:06 . 2011-01-11 04:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-01-10 03:10 . 2011-01-10 03:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-01-09 22:48 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-09 22:39 . 2011-01-09 22:39 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-09 22:22 . 2011-01-09 22:31 -------- d-----w- C:\dfbfffca94d20d861ddc4b2f6f694b87
2011-01-09 21:14 . 2011-01-09 21:14 -------- d-----w- c:\program files\Trend Micro
2011-01-09 20:12 . 2011-01-09 20:12 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-01-09 20:10 . 2011-01-11 14:18 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2011-01-07 15:33 . 2011-01-07 15:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2011-01-06 22:09 . 2011-01-06 22:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2011-01-02 23:22 . 2011-01-02 23:22 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-26 00:53 . 2010-12-26 03:14 -------- d-----w- c:\documents and settings\Kevin Dickenson\Local Settings\Application Data\Smilebox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-08-10 15:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 21:34 . 2009-01-30 02:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2004-08-10 15:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-10 15:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-10 15:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-10 15:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-10 15:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-09-11 13:57 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 15:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-09-11 13:57 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-07 01:02 . 2010-09-07 01:02 7554116 ----a-w- c:\program files\mod-converter-82376.exe
2010-08-02 22:05 . 2010-08-02 22:05 8177088 ----a-w- c:\program files\Vuze_Installer.exe
2010-08-02 18:57 . 2010-08-02 18:57 96962344 ----a-w- c:\program files\iTunesSetup.exe
2010-07-15 03:02 . 2010-07-15 03:02 584736 ----a-w- c:\program files\RealPlayerSPGold.exe
2009-05-18 22:38 . 2009-05-18 22:38 23510720 ----a-w- c:\program files\dotnetfx.exe
2009-01-13 15:40 . 2009-01-13 15:40 386560 ----a-w- c:\program files\justzipit
2008-12-27 22:04 . 2008-12-27 21:32 342437920 ----a-w- c:\program files\AcroPro90_efg.exe
2008-03-23 19:10 . 2008-03-23 19:10 407680 ----a-w- c:\program files\aswclnr.exe
2008-03-23 16:25 . 2008-03-23 16:25 19890888 ----a-w- c:\program files\setupeng.exe
2008-02-19 22:51 . 2008-02-19 22:51 28868320 ----a-w- c:\program files\FileFormatConverters.exe
2008-02-19 22:45 . 2008-02-19 22:45 1454656 ----a-w- c:\program files\Silverlight.exe
2007-03-13 17:53 . 2007-03-13 17:52 3842152 ----a-w- c:\program files\msgrplus.exe
2006-12-12 14:42 . 2006-12-12 14:42 14879120 ----a-w- c:\program files\GoogleEarthWin.exe
2006-09-29 16:00 . 2006-09-29 16:00 1803952 ----a-w- c:\program files\KODAK EASYSHARE Gallery Upload Software, V2.1.exe
2004-08-10 03:30 . 2006-08-28 23:11 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"SmileboxTray"="c:\documents and settings\Kevin Dickenson\Application Data\Smilebox\SmileboxTray.exe" [2010-12-03 312640]
"Google Update"="c:\documents and settings\Kevin Dickenson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-07-15 202256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-25 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-24 17:25 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-11-11 04:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeleteLog]
2005-01-06 23:55 36864 ----a-w- c:\windows\system32\oobe\DeleteLog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXOBG]
2006-08-21 21:00 94208 ----a-w- c:\windows\MXOALDR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-25 05:05 421888 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 17:23 1187840 ------w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-02-09 16:52 643072 ------w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-06-29 01:29 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 20:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-19 17:00 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-19 20:50 729178 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1154:TCP"= 1154:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 MpKslb29b9380;MpKslb29b9380;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CAD9C4D0-AE7A-49C4-98BB-756E7CC260A8}\MpKslb29b9380.sys [1/23/2011 8:57 AM 28752]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 10:00 AM 14336]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [4/17/2007 1:00 PM 12856]
R2 TetherBerry;TetherBerry;c:\program files\TetherBerry\TBService.exe [10/6/2009 12:57 PM 49040]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
R3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [10/6/2009 12:57 PM 45608]
S1 MpKsld7a9c5b0;MpKsld7a9c5b0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CAD9C4D0-AE7A-49C4-98BB-756E7CC260A8}\MpKsld7a9c5b0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CAD9C4D0-AE7A-49C4-98BB-756E7CC260A8}\MpKsld7a9c5b0.sys [?]
S2 gupdate1c9f768ebf190ca;Google Update Service (gupdate1c9f768ebf190ca);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2009 3:50 PM 133104]
S2 pciinfo;HP Pci Information;\??\c:\docume~1\KEVIND~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\KEVIND~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MPKSLB29B9380

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0E3C4A88-7C19-414E-9634-66AC13CB11F6}]
2008-04-14 00:12 78848 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2011-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-27 20:50]

2011-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-27 20:50]

2011-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895949170-2551627891-4084070817-1005Core.job
- c:\documents and settings\Kevin Dickenson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-07 15:30]

2011-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895949170-2551627891-4084070817-1005UA.job
- c:\documents and settings\Kevin Dickenson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-07 15:30]

2011-01-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2011-01-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3895949170-2551627891-4084070817-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2011-01-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2011-01-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3895949170-2551627891-4084070817-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2011-01-22 c:\windows\Tasks\User_Feed_Synchronization-{3326BB63-8E3D-40D1-9815-5EE78AF65CD0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/calendar/render?gsessionid=RIeY5xueGR-ECmApyD_HKA
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: MLXchange.com\rmlsfl
Trusted Zone: pbmls.com\www
TCP: {CA312C74-3650-4BF4-AD53-19C639FA22E0} = 208.67.222.222,208.67.220.220
DPF: {38DC7009-0D98-4B17-80E5-AD3DF79D3B9B} - hxxp://prudential.truelogic.com.au/CAB/TLOutlook.CAB
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://rmlsfl.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://rmlsfl.mlxchange.com/Control/MLXClientUtils.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://rmlsfl.mlxchange.com/5.1.01.7036/Control/IRCSharc.cab
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
ShellIconOverlayIdentifiers-{0FB7818F-4055-4635-B618-09F669074940} - blank
HKCU-Run-wefi - c:\program files\WeFi\\WeFi.exe
HKLM-Run-hpqSRMon - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-eFax 4 - c:\program files\eFax Messenger 4.3\J2GDllCmd.exe
MSConfigStartUp-HP Software Update - c:\program files\Hp\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-MaxtorOneTouch - c:\program files\Maxtor\OneTouch\utils\Onetouch.exe
MSConfigStartUp-RetroExpress - c:\progra~1\Dantz\RETROS~1\RetroExpress.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-23 09:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?2?7?8??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2011-01-23 09:30:46
ComboFix-quarantined-files.txt 2011-01-23 14:30

Pre-Run: 18,284,572,672 bytes free
Post-Run: 22,197,325,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - E81B4D6D1DB459DC01780F2DB59E3224



OTL.TXT Below

OTL logfile created on: 1/23/2011 9:37:41 AM - Run 1
OTL by OldTimer - Version 3.2.20.4 Folder = C:\Documents and Settings\Kevin Dickenson\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 381.00 Mb Available Physical Memory | 37.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60.79 Gb Total Space | 20.72 Gb Free Space | 34.09% Space Free | Partition Type: NTFS
Drive D: | 12.71 Gb Total Space | 0.94 Gb Free Space | 7.38% Space Free | Partition Type: FAT32

Computer Name: LAPTOP | User Name: Kevin Dickenson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/23 09:36:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin Dickenson\Desktop\OTL.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/10/22 10:30:24 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PRC - [2010/09/22 18:11:26 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2010/07/14 22:07:16 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/12/21 11:22:00 | 000,049,040 | ---- | M] () -- C:\Program Files\TetherBerry\TBService.exe
PRC - [2009/10/24 12:28:36 | 000,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2009/10/24 12:25:29 | 000,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/07/01 22:13:34 | 000,623,960 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/19 21:09:59 | 001,247,600 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2007/06/19 12:00:59 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/04/17 13:03:52 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/04/17 13:03:52 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2005/12/22 10:57:10 | 000,405,504 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2005/12/08 15:45:12 | 000,516,182 | ---- | M] () -- C:\Program Files\HPQ\shared\HpqToaster.exe
PRC - [2004/07/27 18:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


========== Modules (SafeList) ==========

MOD - [2011/01/23 09:36:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin Dickenson\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/07/14 22:09:34 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMSAccess)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/01/06 10:03:37 | 003,129,432 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_dbc0250.dll -- (Akamai)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/07/13 16:57:03 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/12/21 11:22:00 | 000,049,040 | ---- | M] () [Auto | Running] -- C:\Program Files\TetherBerry\TBService.exe -- (TetherBerry)
SRV - [2009/10/24 12:28:36 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2007/09/19 21:09:59 | 001,247,600 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2007/04/17 13:03:52 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)


========== Driver Services (SafeList) ==========

DRV - [2011/01/23 09:35:24 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AFD1E0B7-BD2C-4DC4-A16E-682011B43E1A}\MpKsl350c4386.sys -- (MpKsl350c4386)
DRV - [2009/10/24 12:25:53 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/07/31 13:39:56 | 000,045,608 | ---- | M] (Tether) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\qrkis.sys -- (qrkis)
DRV - [2008/10/17 15:28:04 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/10/16 15:28:15 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/10/15 11:58:34 | 000,024,840 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/10/15 11:58:32 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2008/10/15 11:58:26 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2006/08/21 17:07:34 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2005/11/28 04:35:38 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/11/10 17:51:00 | 001,396,224 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/30 06:11:00 | 000,078,720 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/09/20 05:30:56 | 000,162,432 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/08/22 04:06:00 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2005/08/22 04:06:00 | 000,718,464 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/08/22 04:06:00 | 000,231,424 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)
DRV - [2005/08/18 03:22:54 | 000,056,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2005/08/02 05:00:00 | 000,349,312 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)
DRV - [2005/08/02 04:58:00 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)
DRV - [2005/06/19 15:33:18 | 000,190,400 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/05/05 12:04:08 | 000,007,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/05/05 12:04:04 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2005/03/09 17:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/10/07 09:21:22 | 000,015,360 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2004/08/04 01:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/12/05 13:46:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/10/10 03:23:48 | 000,032,640 | ---- | M] (Cypress Semiconductor) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MXOFX.SYS -- (MXOFX) USB Storage Adapter FX (MXO)
DRV - [2001/08/17 23:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/calendar/render?gsessionid=RIeY5xueGR-ECmApyD_HKA
IE - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/17 08:39:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/07/14 22:09:35 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/01/23 09:27:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005..\Run: [SmileboxTray] C:\Documents and Settings\Kevin Dickenson\Application Data\Smilebox\SmileboxTray.exe (Smilebox, Inc.)
O4 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\..Trusted Domains: Interealty.com ([]* is out of zone range - 5)
O15 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\..Trusted Domains: MLXchange.com ([]* is out of zone range - 5)
O15 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\..Trusted Domains: MLXchange.com ([rmlsfl] http in Trusted sites)
O15 - HKU\S-1-5-21-3895949170-2551627891-4084070817-1005\..Trusted Domains: pbmls.com ([www] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} http://rmlsfl.mlxchange.com/Control/FileCruiser.cab (FileCruiser Class)
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} http://rmlsfl.mlxchange.com/Control/Specfile.cab (Specfile Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (Reg Error: Key error.)
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} http://prudential.truelogic.com.au/download/CfxIEAx.cab (ChartFX Internet Control)
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} http://rmlsfl.mlxchange.com/Control/SISC.cab (SISCtrl Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (Reg Error: Key error.)
O16 - DPF: {38DC7009-0D98-4B17-80E5-AD3DF79D3B9B} http://prudential.truelogic.com.au/CAB/TLOutlook.CAB (TLOutlook.Connector)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab (DLM Control)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (LinkedIn ContactFinderControl)
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} http://rmlsfl.mlxchange.com/Control/MultiSelectComboBox.cab (Interealty MultiSelect)
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} http://rmlsfl.mlxchange.com/Control/MLXClientUtils.cab (MLXchange Client Utils)
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} http://rmlsfl.mlxchange.com/Control/LiteGrid.cab (LiteGridCtl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} http://rmlsfl.mlxchange.com/5.1.01.7036/Control/IRCSharc.cab (GeacRevw Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} http://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll (diskhealth Class)
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} http://200.9.36.138:82/wg_webeye.cab (Web Camera Server Control)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://top5events.webex.com/client/T26L/webex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} http://rmlsfl.mlxchange.com/Control/AspCustomCtrls.cab (DropList Class)
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} http://216.249.24.62/code/iPIX-ImageWell-ipix.cab (iPIX Media Send Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.74.166 68.87.68.166
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Kevin Dickenson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Kevin Dickenson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 22:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/23 09:36:10 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kevin Dickenson\Desktop\OTL.exe
[2011/01/23 09:20:17 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/23 09:17:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/23 09:17:13 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/23 09:17:13 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/23 09:17:13 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/23 09:13:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/23 09:13:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/22 20:05:04 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2011/01/22 20:05:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2011/01/22 20:00:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Recorded TV
[2011/01/22 17:12:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe
[2011/01/22 17:12:15 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe Media Player
[2011/01/22 17:09:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/01/21 14:12:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\TiVo Shared
[2011/01/13 16:39:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Dickenson\Desktop\Bleeping Computer Kevinapg
[2011/01/11 09:19:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/01/11 06:39:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/01/10 12:56:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/01/09 22:10:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/01/09 17:48:28 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2011/01/09 17:44:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/01/09 17:39:11 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/01/09 17:22:59 | 000,000,000 | ---D | C] -- C:\dfbfffca94d20d861ddc4b2f6f694b87
[2011/01/09 16:14:15 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/01/09 15:10:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\HPAppData
[2011/01/09 13:45:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2011/01/09 13:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/01/09 13:15:22 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/01/09 13:15:22 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/01/09 13:15:22 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/01/09 13:15:22 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/01/08 16:13:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Dickenson\Application Data\Malwarebytes
[2011/01/08 16:13:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/01/08 16:13:09 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/01/08 16:12:41 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Program Files\mbam-setup.exe
[2011/01/08 15:51:23 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Program Files\iexplore.exe
[2011/01/07 12:44:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/01/07 10:41:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Dickenson\Start Menu\Programs\Google Chrome
[2011/01/07 10:33:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
[2011/01/06 17:09:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple
[2011/01/06 13:06:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/01/06 13:06:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/01/06 09:17:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/01/06 09:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/01/02 17:55:46 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/12/25 19:53:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Dickenson\Local Settings\Application Data\Smilebox
[2010/12/25 19:53:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kevin Dickenson\My Documents\My Smilebox Creations
[2010/09/06 20:02:34 | 007,554,116 | ---- | C] ( ) -- C:\Program Files\mod-converter-82376.exe
[2010/08/02 17:05:09 | 008,177,088 | ---- | C] (Vuze Inc.) -- C:\Program Files\Vuze_Installer.exe
[2010/08/02 13:57:08 | 096,962,344 | ---- | C] (Apple Inc.) -- C:\Program Files\iTunesSetup.exe
[2010/07/14 22:02:13 | 000,584,736 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RealPlayerSPGold.exe
[2009/05/18 17:38:48 | 023,510,720 | ---- | C] (Microsoft Corporation) -- C:\Program Files\dotnetfx.exe
[2009/01/13 10:40:20 | 000,386,560 | ---- | C] (Free-backup.info) -- C:\Program Files\justzipit
[2008/12/27 16:32:41 | 342,437,920 | ---- | C] ( ) -- C:\Program Files\AcroPro90_efg.exe
[2008/03/23 14:10:13 | 000,407,680 | ---- | C] (ALWIL Software) -- C:\Program Files\aswclnr.exe
[2008/02/19 17:51:27 | 028,868,320 | ---- | C] (Microsoft Corporation) -- C:\Program Files\FileFormatConverters.exe
[2007/03/13 12:52:48 | 003,842,152 | ---- | C] (j2 Global Communications, Inc.) -- C:\Program Files\msgrplus.exe
[2006/12/12 09:42:13 | 014,879,120 | ---- | C] (Macrovision Corporation) -- C:\Program Files\GoogleEarthWin.exe
[2006/09/29 11:00:06 | 001,803,952 | ---- | C] (Eastman Kodak Company) -- C:\Program Files\KODAK EASYSHARE Gallery Upload Software, V2.1.exe
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/23 09:36:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin Dickenson\Desktop\OTL.exe
[2011/01/23 09:35:02 | 000,000,904 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/01/23 09:27:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/01/23 09:20:24 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2011/01/23 09:10:52 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Combofix from either of the links below.doc
[2011/01/23 09:02:34 | 000,001,675 | -HS- | M] () -- C:\hpqp.ini
[2011/01/23 09:02:30 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini
[2011/01/23 09:02:07 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3895949170-2551627891-4084070817-1005.job
[2011/01/23 09:02:05 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/23 09:02:02 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/01/23 09:02:01 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-18.job
[2011/01/23 08:56:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/23 08:56:36 | 1071,894,528 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/23 08:42:00 | 000,001,018 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3895949170-2551627891-4084070817-1005UA.job
[2011/01/22 23:06:04 | 000,011,034 | ---- | M] () -- C:\WINDOWS\System32\345.js
[2011/01/22 20:45:25 | 000,000,306 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3895949170-2551627891-4084070817-1005.job
[2011/01/22 20:44:37 | 000,187,392 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/22 12:15:56 | 000,000,184 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2011/01/22 10:42:00 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3895949170-2551627891-4084070817-1005Core.job
[2011/01/22 10:16:41 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{3326BB63-8E3D-40D1-9815-5EE78AF65CD0}.job
[2011/01/22 09:40:05 | 000,374,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/01/21 14:24:10 | 246,298,776 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Image_110121_1422.gi
[2011/01/21 14:22:02 | 000,114,688 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\Desktop\Copy of Usernames__Passwords.xls
[2011/01/20 17:09:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/01/19 17:51:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/01/19 14:17:30 | 000,017,492 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\peter_kursman[1].pdf
[2011/01/18 17:10:30 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/16 15:38:06 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\affidavit Note.doc
[2011/01/16 13:54:11 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2011/01/14 13:52:55 | 000,000,362 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\Desktop\Regional MLS.url
[2011/01/13 15:21:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\defogger_reenable
[2011/01/13 00:43:42 | 000,002,336 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/01/13 00:43:41 | 000,002,358 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\Desktop\Google Chrome.lnk
[2011/01/10 10:31:36 | 000,469,314 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/10 10:31:36 | 000,082,094 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/09 17:40:45 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/01/09 17:30:30 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/01/09 12:31:10 | 000,100,055 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Microsoft Windows Error Reporting.pdf
[2011/01/08 16:12:46 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Program Files\mbam-setup.exe
[2011/01/08 15:51:28 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\iexplore.exe
[2011/01/08 15:49:33 | 000,730,832 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Remove the fake Microsoft Security Essentials Alert (Uninstall Instructions).pdf
[2011/01/07 10:56:40 | 000,000,209 | ---- | M] () -- C:\Boot.bak
[2011/01/06 21:06:03 | 000,011,261 | ---- | M] () -- C:\WINDOWS\System32\saad.js
[2010/12/31 13:07:29 | 000,022,016 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\hardship.doc
[2010/12/30 16:13:12 | 000,009,588 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Cecilia Text transcript Dec 29.pdf
[2010/12/30 16:12:40 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Cecilia Text transcript Dec 29.doc
[2010/12/28 18:00:26 | 000,488,960 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\Desktop\Bulk Deals.doc
[2010/12/28 17:59:16 | 000,058,619 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\30's hotel.jpg
[2010/12/25 19:52:04 | 000,001,989 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\Desktop\Smilebox.lnk
[2010/12/25 19:52:04 | 000,001,967 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\Application Data\Microsoft\Internet Explorer\Quick Launch\Smilebox.lnk
[2010/12/25 19:28:58 | 000,402,944 | ---- | M] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Merry Christmas 01.doc
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/23 09:20:24 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2011/01/23 09:20:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/01/23 09:17:13 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/23 09:17:13 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/23 09:17:13 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/23 09:17:13 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/23 09:17:13 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/23 09:10:52 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Combofix from either of the links below.doc
[2011/01/22 18:53:49 | 000,014,034 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Davies Confidential Agreement.pdf
[2011/01/22 16:06:02 | 000,011,034 | ---- | C] () -- C:\WINDOWS\System32\345.js
[2011/01/21 14:23:37 | 246,298,776 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Image_110121_1422.gi
[2011/01/19 14:17:30 | 000,017,492 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\peter_kursman[1].pdf
[2011/01/16 15:38:05 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\affidavit Note.doc
[2011/01/15 12:28:04 | 1071,894,528 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/13 15:21:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\defogger_reenable
[2011/01/10 23:06:21 | 000,000,288 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2011/01/10 23:06:21 | 000,000,280 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-18.job
[2011/01/09 17:39:26 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/01/09 12:27:53 | 000,100,055 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Microsoft Windows Error Reporting.pdf
[2011/01/08 15:48:54 | 000,730,832 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Remove the fake Microsoft Security Essentials Alert (Uninstall Instructions).pdf
[2011/01/08 15:10:22 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/01/07 10:41:32 | 000,002,358 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Desktop\Google Chrome.lnk
[2011/01/07 10:41:32 | 000,002,336 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/01/07 10:37:53 | 000,001,018 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3895949170-2551627891-4084070817-1005UA.job
[2011/01/07 10:37:53 | 000,000,966 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3895949170-2551627891-4084070817-1005Core.job
[2011/01/06 09:06:05 | 000,011,261 | ---- | C] () -- C:\WINDOWS\System32\saad.js
[2010/12/30 17:29:56 | 000,022,016 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\hardship.doc
[2010/12/30 16:13:12 | 000,009,588 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Cecilia Text transcript Dec 29.pdf
[2010/12/30 16:12:40 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Cecilia Text transcript Dec 29.doc
[2010/12/28 17:59:16 | 000,058,619 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\30's hotel.jpg
[2010/12/25 19:52:04 | 000,001,995 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Start Menu\Programs\Smilebox.lnk
[2010/12/25 19:52:04 | 000,001,989 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Desktop\Smilebox.lnk
[2010/12/25 19:52:04 | 000,001,967 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Application Data\Microsoft\Internet Explorer\Quick Launch\Smilebox.lnk
[2010/12/25 19:28:58 | 000,402,944 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\My Documents\Merry Christmas 01.doc
[2010/12/23 15:06:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Application Data\wklnhst.dat
[2009/12/16 14:20:26 | 000,000,655 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/07/22 16:10:25 | 000,038,524 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Application Data\Microsoft Excel.ADR
[2008/12/25 20:12:06 | 000,038,495 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Application Data\Comma Separated Values (Windows).ADR
[2008/10/15 11:58:34 | 000,024,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2008/10/13 16:19:26 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Local Settings\Application Data\fusioncache.dat
[2008/03/23 14:10:34 | 000,003,052 | ---- | C] () -- C:\Program Files\aswclnr.log
[2008/03/23 11:25:25 | 019,890,888 | ---- | C] () -- C:\Program Files\setupeng.exe
[2008/02/19 17:45:42 | 001,454,656 | ---- | C] () -- C:\Program Files\Silverlight.exe
[2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/25 17:18:00 | 000,000,021 | ---- | C] () -- C:\WINDOWS\EPProj76c.ini
[2006/09/07 15:05:11 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2006/08/28 18:11:31 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2006/08/26 11:32:06 | 000,004,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ScheduledItems
[2006/08/26 11:27:15 | 000,001,890 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/08/26 11:27:15 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\A3ACD87EF5.sys
[2006/08/23 11:56:38 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/23 10:08:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2006/08/21 21:23:07 | 000,000,184 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2006/08/21 16:40:12 | 000,187,392 | ---- | C] () -- C:\Documents and Settings\Kevin Dickenson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/04/13 08:44:10 | 000,000,031 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/04/13 08:42:18 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/04/13 08:25:04 | 000,000,116 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/04/13 08:06:36 | 000,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/04/13 07:59:36 | 000,002,159 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/12/02 05:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/17 12:39:42 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/17 12:21:06 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/08/17 11:58:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/07/17 12:38:32 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\missouri.dll
[2004/01/13 14:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/08/09 06:18:44 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\pandoras.dll

< End of report >


------------------------
OTL Extras

OTL Extras logfile created on: 1/23/2011 9:37:41 AM - Run 1
OTL by OldTimer - Version 3.2.20.4 Folder = C:\Documents and Settings\Kevin Dickenson\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 381.00 Mb Available Physical Memory | 37.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60.79 Gb Total Space | 20.72 Gb Free Space | 34.09% Space Free | Partition Type: NTFS
Drive D: | 12.71 Gb Total Space | 0.94 Gb Free Space | 7.38% Space Free | Partition Type: FAT32

Computer Name: LAPTOP | User Name: Kevin Dickenson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"1154:TCP" = 1154:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{09D8492A-C8E2-421E-927D-46800FB327A3}" = Wireless Home Network Setup
"{0A5825FD-0FB7-4e45-9037-858D463F2943}" = BPDSoftware
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{195F2C6C-A343-4b10-B1A4-3F00AB9E9DD9}" = Fax
"{1CB34CE9-0E6B-493F-BB66-3425E5DF76E5}" = CP_CalendarTemplates1
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{219EFBC3-2518-4910-BBDF-89AA96F11D84}" = IntraLinks IRM Client For MSOffice
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}" = CP_Package_Variety2
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 23
"{2863C12B-2A02-4258-8495-6220605B2E5C}_is1" = Tether 1.1.0.0
"{2951A232-69BA-4925-BB9A-CEEB72B18B4F}" = BPDSoftware_Ini
"{2A548002-9042-4083-A270-B67473DE1073}" = SkinsHP1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3672B097-EA69-4bfe-B92F-29AE6D9D2B34}" = Norton Internet Security
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{398E8625-6F3A-4C54-B54C-28F0ABB89774}" = BPD_HPSU
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3BEF9769-BA52-18F7-1D02-2362F6A27E38}" = Adobe Media Player
"{3FE0CFAB-584A-4AA5-B8CD-C32284CFA308}" = RandMap
"{3FEC3A5B-60FF-4626-B425-08E09B121A15}" = LogMeIn
"{414A373B-59DF-4102-94CA-9FE9A74CBDDA}" = Garmin Trip and Waypoint Manager v5
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 C1
"{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 2.0
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{494D17B5-3369-4905-8C4B-80C972C5E0FF}" = CP_Panorama1Config
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4DA4012B-39AF-48c2-B23B-A4D570D233A6}" = cp_LightScribeConfig
"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}" = CP_Package_Variety1
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{52AE81CB-B786-490E-93CF-240A9891B392}" = HP User Guides 0025
"{52FBAE98-D389-4281-8C14-21B4046CCB4E}" = SonicAC3Encoder
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{54F0998F-73C8-4b51-8286-FE903C231BED}" = cp_PosterPrintConfig
"{55937F00-A69B-4049-8D3A-1C7729742B6F}" = BUM
"{572F2A62-70CD-4429-8758-6D4D6DC696E1}" = 4500_Help
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6697D99E-E550-4498-B793-4A8DD8A1821F}" = ProductContext
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{766633B3-1AFA-44B6-A3FC-1DE991CD9C52}" = CP_Package_Basic1
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{79F8E1D4-36C1-439C-95FA-F695050B5B07}" = Sonic_PrimoSDK
"{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}" = TIPCI
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{80AE27BA-B0ED-4288-A8B9-D8194BCF4115}" = cp_UpdateProjectsConfig
"{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{869C3062-4745-4949-B6C9-98AF24D89030}" = PhotoGallery
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{939F8208-C8CE-4AFF-B7BA-ACEB2E74A6CB}" =
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9D4ABB0C-F60B-44A6-956C-A4A63D5495C9}" = CueTour
"{A01FC76F-CC09-4658-9E37-5C2F635EE708}" = TourSetup
"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{ABB2901A-3D0A-4F21-8324-2F13C3EFE163}" = LightScribe 1.4.62.1
"{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Franšais, Deutsch
"{AC76BA86-1033-F400-BA7E-000000000004}_941" = Adobe Acrobat 9.4.1 - CPSID_83708
"{AC76BA86-1033-F400-BA7E-000000000004}{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Franšais, Deutsch
"{B06CC379-BA38-4572-9539-CDB0C544AA1E}" = BlackBerry Desktop Software 5.0
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B11E71BA-498C-42D4-9F1A-9D7A89D9DA61}" = CP_AtenaShokunin1Config
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B16AF568-A644-483C-A6DA-5028CD019C8C}" = SonicMPEGEncoder
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B57F2FF0-5A25-4332-B503-4592B370C02F}" = CP_Package_Variety3
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BBD3BF67-5B89-4CBB-BA58-5818ED5F3290}" = cp_OnlineProjectsConfig
"{BC96BBA7-C634-460E-AD18-A0A994213F80}" = HP User Guides--System Recovery
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CD0773D5-C18E-495c-B39B-21A96415EDD5}" = HP Officejet J4500 Series
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.20 G1
"{D142FE39-3386-4d82-9AD3-36D4A92AC3C2}" = DocMgr
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{EDE721EC-870A-11D8-9D75-000129760D75}" = PowerDirector Express
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{FC8D25A7-FF1B-41BB-BB3B-9A06C0A60AE0}" = InstantShareDevices
"{FDEC11CC-4BD6-4a8c-A398-3CCD8E43EACA}" = J4500
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Akamai" = Akamai NetSession Interface
"ATI Display Driver" = ATI Display Driver
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"BlackBerry_{B06CC379-BA38-4572-9539-CDB0C544AA1E}" = BlackBerry Desktop Software 5.0
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_1002&DEV_4378" = Soft Data Fax Modem with SmartCP
"com.adobe.amp.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ESPNMotion" = ESPNMotion
"exPressit S.E. 2.1" = exPressit S.E. 2.1
"FinePix Genie_is1" = FUJIFILM MyFinePix Studio 1.0
"HP Document Manager" = HP Document Manager 1.0
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"HPOCR" = OCR Software by I.R.I.S. 10.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"InstallShield_{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows
"InstallShield_{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"IrfanView" = IrfanView (remove only)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MXOFX" = USB Storage Adapter FX (MXO)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"ODIR_is1" = ODIR
"OfotoEZUpload" = KODAK EASYSHARE Gallery Upload ActiveX Control
"Palm Beach Chart P01 Rev. 03_is1" = P01_03 - Placemarks & Overlay By Jupiter Inlet area (West)
"Palm Beach Chart P02 Rev. 03_is1" = P02_03 - Placemarks & Overlay Offshore Jupiter Inlet area (East
"Palm Beach Chart P03 Rev. 03_is1" = P03_03 - Placemarks & Overlay By Juno Pier area (West)
"Palm Beach Chart P04 Rev. 03_is1" = P04_03 - Placemarks & Overlay Offshore the Juno Pier area (East
"Palm Beach Chart P05N Rev. 03_is1" = P05N_02 - Placemarks & Overlay for North of Lake Worth Inlet (N
"Palm Beach Chart P05S Rev. 02_is1" = P05S_02 - Placemarks & Overlay for North of Lake Worth Inlet (S
"Palm Beach Chart P06 Rev. 02_is1" = P06_02 - Placemarks & Overlay for South of Lake Worth Inlet are
"Palm Beach Chart P07 Rev. 02_is1" = P07_02 - Placemarks & Overlay from Bath & Tennis Reef to Lake W
"RealPlayer 12.0" = RealPlayer
"Silent Package Run-Time Sample" = PowerLite 76c User's Guide
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VisualTour Studio" = VisualTour Studio
"VT Remote Support" = VT Remote Support
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3895949170-2551627891-4084070817-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{9863F141-7A33-4c9a-A5F2-96996461B216}" = KODAK EASYSHARE Gallery Easy Upload, v2.1
"Google Chrome" = Google Chrome
"GoToMeeting" = GoToMeeting 4.5.0.457
"Smilebox" = Smilebox

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 1/22/2011 11:03:41 AM | Computer Name = LAPTOP | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000000D'
while processing the file 'BOOT.INI' on the volume 'HarddiskVolume3'. It has stopped
monitoring the volume.

Error - 1/22/2011 7:26:33 PM | Computer Name = LAPTOP | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC000000D'
while processing the file 'BOOT.INI' on the volume 'HarddiskVolume3'. It has stopped
monitoring the volume.

Error - 1/22/2011 9:05:16 PM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The HP Pci Information service failed to start due to the following
error: %%3

Error - 1/22/2011 9:06:38 PM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 1/22/2011 9:10:10 PM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The HP Pci Information service failed to start due to the following
error: %%3

Error - 1/22/2011 9:11:39 PM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 1/23/2011 12:29:27 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The HP Pci Information service failed to start due to the following
error: %%3

Error - 1/23/2011 12:30:47 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 1/23/2011 9:57:31 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7000
Description = The HP Pci Information service failed to start due to the following
error: %%3

Error - 1/23/2011 9:58:52 AM | Computer Name = LAPTOP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.


< End of report >

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:27 PM

Posted 24 January 2011 - 10:42 AM

Hi-

How is your computer running now?
Shannon

#11 kevinapg

kevinapg
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 24 January 2011 - 11:59 AM

:thumbup2: It's working great so far and it's fast. Probably a good idea to run TDSSKiller occassionally? Thank you so much!
Kevin

#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:27 PM

Posted 24 January 2011 - 12:29 PM

Hi-

Good - glad to hear that things are running great, but I would like to run a couple of more scans to make sure.

Please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Next, I'd like for you to scan your machine with ESET OnlineScan
  • Hold down Control key and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip the next two steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

In your reply, please copy in the MBAM report and the ESET Online report (if you get one).

Thanks.
Shannon

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:27 PM

Posted 02 February 2011 - 04:24 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users