Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible TDL3 rootkit infection


  • This topic is locked This topic is locked
34 replies to this topic

#1 crankygirl39

crankygirl39

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 27 February 2011 - 03:33 PM

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 15:09:09.23 on Sun 02/27/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.214 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uSearch Bar =
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [PROMon.exe] PROMon.exe
mRun: [ChkAdmin] c:\progra~1\compaq\compaq~1\CHKADMIN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunServices: [CPQDFWAG] c:\windows\cpqdiag\CpqDfwAg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.1.121\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm824NTUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/SmileyCentralFWBInitialSetup1.0.1.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182304515453
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201192703148
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://arcade.games.myway.com/online2/zuma/popcaploader_v5.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ulq2d3t6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://librarianbyday.net/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\drivers\Clntmgmt.sys [2006-3-24 54222]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl116b6b91;MpKsl116b6b91;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cdbe4ef1-a7d7-4354-8c37-36d236c4ecd8}\MpKsl116b6b91.sys [2011-2-27 28752]
R1 MpKslc0c48b96;MpKslc0c48b96;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cdbe4ef1-a7d7-4354-8c37-36d236c4ecd8}\MpKslc0c48b96.sys [2011-2-27 28752]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\cpqdiag\CPQDFWAG.EXE [2006-3-24 212992]
R2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\compaq\compaq~1\cpqweb~1\WebDmi.exe [2006-3-24 24576]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2011-1-9 401920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-28 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-1-9 517448]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2009-10-28 18048]

=============== Created Last 30 ================

2011-02-27 19:46:06 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{cdbe4ef1-a7d7-4354-8c37-36d236c4ecd8}\MpKslc0c48b96.sys
2011-02-27 19:45:32 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{cdbe4ef1-a7d7-4354-8c37-36d236c4ecd8}\MpKsl1da9281f.sys
2011-02-27 19:41:55 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{cdbe4ef1-a7d7-4354-8c37-36d236c4ecd8}\MpKsl116b6b91.sys
2011-02-27 17:12:26 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{cdbe4ef1-a7d7-4354-8c37-36d236c4ecd8}\mpengine.dll
2011-02-27 17:12:26 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-27 17:07:33 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-27 16:25:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2011-02-27 16:25:10 -------- d-----w- c:\program files\McAfee Security Scan
2011-02-26 18:40:14 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-26 18:40:14 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-26 18:39:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Amazon
2011-02-26 18:39:00 -------- d-----w- c:\program files\Amazon
2011-02-26 18:36:41 -------- d-----w- c:\windows\VirtualEar
2011-02-24 21:36:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\lCdDoLp08200
2011-02-11 05:05:12 11444496 ----a-w- c:\documents and settings\all users\Tempmozy-update-1f7fe3012a1778a4fc7c5075f2f61812.exe
2011-02-06 02:28:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trymedia
2011-02-06 02:21:46 -------- d-----w- C:\GameHouse Games
2011-02-06 00:29:48 -------- d-----w- c:\program files\RealArcade

==================== Find3M ====================

2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 00:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44:37 439296 ------w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:04:17 11336456 ----a-w- c:\documents and settings\all users\Tempmozy-update-a31217e595a1463492ad999467f8f0a1.exe
2010-12-31 13:10:33 1854976 ------w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ------w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ------w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ------w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ------w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ------w- c:\windows\system32\ntkrnlpa.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-60DGA0 rev.05.03E05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F41439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f477b8]; MOV EAX, [0x82f47834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82FAF9C0]
3 CLASSPNP[0xF86C1FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005b[0x82F97F18]
5 ACPI[0xF8638620] -> nt!IofCallDriver[0x804E37D5] -> [0x82D16030]
\Driver\atapi[0x82F99590] -> IRP_MJ_CREATE -> 0x82F41439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-60DGA0______________________05.03E05#4457572d414d4b44343234323137_036_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F4127F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 15:11:16.78 ===============

BC AdBot (Login to Remove)

 


#2 crankygirl39

crankygirl39
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 28 February 2011 - 10:18 AM

Should I just go eat worms?

I started the GMER scan two hours ago......

Edited by crankygirl39, 28 February 2011 - 10:19 AM.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:10:51 PM

Posted 28 February 2011 - 02:10 PM

crankygirl39,

Should I just go eat worms?


I hope they would be yummy gummy worms. ;)


My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________


Please cancel the GMER scan. I have what I need from the GMER logs you have provided for me.




Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


NEXT:



Please be sure to include an update on how your computer is currently running.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#4 crankygirl39

crankygirl39
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 28 February 2011 - 03:01 PM

Dude - I love gummy worms. :)
Killer report:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5905

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/28/2011 11:02:18 AM
mbam-log-2011-02-28 (11-02-18).txt

Scan type: Quick scan
Objects scanned: 165600
Time elapsed: 15 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 26
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44CF-8957-5838F569A31D} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (Adware.MyWebSearch) -> Value: {00A6FAF6-072E-44cf-8957-5838F569A31D} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL REPORT:
OTL logfile created on: 2/28/2011 2:49:42 PM - Run 1
OTL by OldTimer - Version 3.2.22.2 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 144.00 Mb Available Physical Memory | 29.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1512 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 21.73 Gb Free Space | 58.31% Space Free | Partition Type: NTFS

Computer Name: YOUR-7BF6D1ED | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/28 14:48:46 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe
PRC - [2011/02/08 13:24:02 | 003,600,184 | ---- | M] (Mozy, Inc.) -- C:\Program Files\MozyHome\mozystat.exe
PRC - [2010/12/16 18:35:40 | 000,423,232 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
PRC - [2010/12/16 18:19:34 | 000,140,608 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
PRC - [2010/12/13 14:12:01 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/03/25 14:36:58 | 000,073,728 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\PROMon.exe
PRC - [2002/01/30 21:01:54 | 000,081,920 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
PRC - [2002/01/24 21:09:16 | 000,024,576 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\cpqWebDmi\Webdmi.exe
PRC - [2002/01/24 21:03:48 | 000,020,480 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\Cpqdmi.exe
PRC - [2002/01/24 21:03:32 | 000,081,920 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\Chkadmin.exe
PRC - [2002/01/24 20:59:18 | 000,512,000 | ---- | M] (Compaq Computer Corporation) -- C:\Program Files\COMPAQ\Compaq Management Agents\Cpqalert.exe
PRC - [2001/12/18 18:49:00 | 001,953,868 | ---- | M] (Altiris, Inc.) -- C:\Compaq\ACLIENT\AClient.exe
PRC - [2001/10/25 20:56:58 | 000,212,992 | ---- | M] (Compaq Computer Corporation) -- C:\WINDOWS\Cpqdiag\CPQDFWAG.EXE
PRC - [2001/04/11 13:33:46 | 000,215,552 | ---- | M] (Intel) -- C:\Program Files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


========== Modules (SafeList) ==========

MOD - [2011/02/28 14:48:46 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Amazon Download Agent)
SRV - [2010/12/16 18:19:34 | 000,140,608 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe -- (NanoServiceMain)
SRV - [2002/03/04 13:35:26 | 001,118,208 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\NMSSvc.Exe -- (NMSSvc) Intel®
SRV - [2002/01/24 21:09:16 | 000,024,576 | ---- | M] (Compaq Computer Corporation) [Auto | Running] -- C:\Program Files\COMPAQ\Compaq Management Agents\cpqWebDmi\Webdmi.exe -- (cpqWebDmi)
SRV - [2002/01/24 21:03:48 | 000,020,480 | ---- | M] (Compaq Computer Corporation) [Auto | Running] -- C:\Program Files\COMPAQ\Compaq Management Agents\Cpqdmi.exe -- (cpqdmi)
SRV - [2002/01/24 20:59:18 | 000,512,000 | ---- | M] (Compaq Computer Corporation) [Auto | Running] -- C:\Program Files\COMPAQ\Compaq Management Agents\Cpqalert.exe -- (CPQALERT)
SRV - [2001/12/18 18:49:00 | 001,953,868 | ---- | M] (Altiris, Inc.) [Auto | Running] -- C:\COMPAQ\ACLIENT\ACLIENT.exe -- (AClient)
SRV - [2001/10/25 20:56:58 | 000,212,992 | ---- | M] (Compaq Computer Corporation) [Auto | Running] -- C:\WINDOWS\Cpqdiag\CPQDFWAG.EXE -- (CpqDfwWebAgent)
SRV - [2001/04/11 13:33:46 | 000,215,552 | ---- | M] (Intel) [Auto | Running] -- C:\Program Files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe -- (WIN32SL)


========== Driver Services (SafeList) ==========

DRV - [2010/12/16 18:12:59 | 000,113,096 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINProt.sys -- (PSINPROT)
DRV - [2010/12/16 18:12:51 | 000,111,944 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINProc.sys -- (PSINPROC)
DRV - [2010/12/16 18:12:42 | 000,130,376 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PSINKNC.sys -- (PSINKNC)
DRV - [2010/12/16 18:12:34 | 000,097,352 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINFile.sys -- (PSINFILE)
DRV - [2010/12/16 18:12:26 | 000,141,768 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINAflt.sys -- (PSINAFLT)
DRV - [2005/04/21 00:30:32 | 000,018,048 | ---- | M] (Linksys) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USB200M2.sys -- (USB200M)
DRV - [2004/08/04 00:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/04 00:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/04 00:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/04 00:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/04 00:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/04 00:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/04 00:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2004/08/04 00:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/04 00:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/04 00:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2)
DRV - [2003/11/20 17:14:28 | 000,646,825 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2003/11/20 17:13:40 | 001,232,741 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2003/11/20 17:12:56 | 000,059,717 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2003/11/20 17:12:42 | 000,037,048 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2002/04/04 09:32:06 | 000,028,416 | R--- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symmpi.sys -- (Symmpi)
DRV - [2002/01/16 17:48:54 | 000,054,222 | ---- | M] (Compaq Computer Corp) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Clntmgmt.sys -- (ClntMgmt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://autoconfig.cpqcorp.net

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://autoconfig.cpqcorp.net

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3352189345-227156992-886978096-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-3352189345-227156992-886978096-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3352189345-227156992-886978096-500\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3352189345-227156992-886978096-500\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3352189345-227156992-886978096-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/13 14:12:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/13 14:12:16 | 000,000,000 | ---D | M]

[2009/06/11 14:46:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/06/11 14:46:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ulq2d3t6.default\extensions
[2011/02/28 14:26:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/09 18:58:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2011/02/26 13:37:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/08/03 14:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll

O1 HOSTS File: ([2003/03/31 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-3352189345-227156992-886978096-500\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [AmazonGSDownloaderTray] File not found
O4 - HKLM..\Run: [ChkAdmin] C:\Program Files\COMPAQ\Compaq Management Agents\Chkadmin.exe (Compaq Computer Corporation)
O4 - HKLM..\Run: [PROMon.exe] C:\WINDOWS\System32\PROMon.exe (Intel Corporation)
O4 - HKLM..\Run: [PSUNMain] C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe (Panda Security, S.L.)
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKLM..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CPQDFWAG.EXE (Compaq Computer Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe (FUJIFILM Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3352189345-227156992-886978096-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182304515453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201192703148 (MUWebControl Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/bingame/chnz/default/mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://arcade.games.myway.com/online2/zuma/popcaploader_v5.cab (PopCapLoader Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{5c0a7f28-ca92-11dc-886b-000bcd996851}\Shell - "" = AutoRun
O33 - MountPoints2\{5c0a7f28-ca92-11dc-886b-000bcd996851}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5c0a7f28-ca92-11dc-886b-000bcd996851}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/28 12:08:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Panda Security
[2011/02/28 12:06:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Panda Cloud Antivirus
[2011/02/28 12:05:50 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2011/02/28 12:05:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2011/02/28 10:40:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/02/28 10:39:59 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/02/28 10:39:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/28 10:39:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/02/28 10:39:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/02/28 10:39:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/02/28 08:36:18 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/02/28 00:01:58 | 011,447,056 | ---- | C] (Mozy, Inc.) -- C:\Documents and Settings\All Users\Tempmozy-autoupdate-c0261ff8012aad585d55140a9b6ddcb9.exe
[2011/02/27 12:12:26 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2011/02/27 11:31:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2011/02/27 11:25:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/02/27 11:24:50 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/02/27 11:24:50 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/02/27 11:24:50 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/02/27 11:22:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/02/26 13:39:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Amazon
[2011/02/26 13:37:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\InstallShield
[2011/02/26 13:37:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Updater
[2011/02/26 13:37:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2011/02/26 13:37:39 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/02/26 13:36:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/02/26 13:36:52 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/02/26 13:36:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\VirtualEar
[2011/02/26 13:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SoundMAX
[2011/02/24 17:18:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/02/24 17:18:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/02/24 16:51:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/02/24 16:51:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/02/24 16:36:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\lCdDoLp08200
[2011/02/23 09:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\NOT ORDERING REPORTS
[2011/02/11 00:05:12 | 011,444,496 | ---- | C] (Mozy, Inc.) -- C:\Documents and Settings\All Users\Tempmozy-update-1f7fe3012a1778a4fc7c5075f2f61812.exe
[2011/02/09 11:06:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\2011 NEED TO CONTACT
[2011/02/08 17:28:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\OVERDRIVE INFO 2011
[2011/02/05 21:28:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2011/02/05 19:30:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\WinRAR
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2099/01/01 12:00:00 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/02/28 14:13:12 | 000,002,587 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office Word 2007.lnk
[2011/02/28 14:13:12 | 000,002,549 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office Excel 2007.lnk
[2011/02/28 12:06:34 | 000,000,264 | ---- | M] () -- C:\WINDOWS\System32\PSUNCpl.dat
[2011/02/28 11:52:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/28 11:14:40 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/28 11:14:36 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/02/28 11:14:26 | 000,000,000 | ---- | M] () -- C:\AClient.cfg
[2011/02/28 11:14:22 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/28 11:14:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/28 11:14:12 | 528,011,264 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/28 10:39:59 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/28 08:37:16 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/02/28 06:38:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\prvlcl.dat
[2011/02/28 00:03:31 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
[2011/02/28 00:02:24 | 011,447,056 | ---- | M] (Mozy, Inc.) -- C:\Documents and Settings\All Users\Tempmozy-autoupdate-c0261ff8012aad585d55140a9b6ddcb9.exe
[2011/02/28 00:01:19 | 000,003,794 | ---- | M] () -- C:\WINDOWS\mozy.blk
[2011/02/28 00:01:19 | 000,001,502 | ---- | M] () -- C:\WINDOWS\mozy.flt
[2011/02/11 00:05:38 | 011,444,496 | ---- | M] (Mozy, Inc.) -- C:\Documents and Settings\All Users\Tempmozy-update-1f7fe3012a1778a4fc7c5075f2f61812.exe
[2011/02/09 03:26:57 | 000,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/09 03:10:19 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/02 21:40:39 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/02/02 21:40:38 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/02/02 21:40:36 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/02/02 21:40:23 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/02/02 19:19:39 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/02/02 17:11:20 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2011/01/31 16:10:15 | 000,048,353 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Crystal Lake invoice jan 31.pdf
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/28 12:06:34 | 000,000,264 | ---- | C] () -- C:\WINDOWS\System32\PSUNCpl.dat
[2011/02/28 10:39:59 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/27 12:09:52 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/02/25 16:25:28 | 000,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/02/21 07:12:03 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
[2011/01/31 16:10:15 | 000,048,353 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Crystal Lake invoice jan 31.pdf
[2009/11/09 13:56:16 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\prvlcl.dat
[2009/09/09 08:32:19 | 000,000,243 | ---- | C] () -- C:\WINDOWS\ActiveAct.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/06/11 14:46:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/11/03 16:03:07 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/04 14:52:53 | 000,000,022 | ---- | C] () -- C:\WINDOWS\iexplore.ini
[2008/01/24 11:35:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/24 10:48:27 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\EmailShared.dll
[2006/04/21 19:31:08 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2006/03/24 13:22:36 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/03/24 13:22:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/03/24 13:22:29 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/03/24 13:21:12 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/03/24 13:04:15 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2006/03/24 13:04:13 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\igfxdgps.dll
[2006/03/24 13:03:00 | 000,040,960 | ---- | C] () -- C:\WINDOWS\LoadDll.dll
[2006/03/24 12:36:01 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/03/24 12:31:07 | 000,000,579 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/03/24 12:30:44 | 000,000,042 | ---- | C] () -- C:\WINDOWS\cpqhsc.ini
[2006/03/24 12:30:07 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2006/03/24 12:29:56 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\Aud2Full.exe
[2006/03/24 12:15:33 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2004/08/02 16:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/05/19 16:32:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/05/19 16:27:40 | 000,264,616 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/05/19 16:21:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/05/19 16:17:58 | 000,383,584 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/05/19 16:17:58 | 000,053,812 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/05/19 16:17:04 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/02/06 11:04:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\NMSInst.dll
[2002/01/21 17:17:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PROInst.dll
[2001/08/17 16:30:26 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/17 16:30:26 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/17 16:15:40 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/07/21 17:36:50 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/07/21 17:36:06 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 196 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:260575F1
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5A437AC3
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

EXTRAS.TXT
OTL Extras logfile created on: 2/28/2011 2:49:42 PM - Run 1
OTL by OldTimer - Version 3.2.22.2 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 144.00 Mb Available Physical Memory | 29.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1512 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 21.73 Gb Free Space | 58.31% Space Free | Partition Type: NTFS

Computer Name: YOUR-7BF6D1ED | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-3352189345-227156992-886978096-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJIFILM Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation)
"C:\Program Files\CrossLoop\CrossLoopConnect.exe" = C:\Program Files\CrossLoop\CrossLoopConnect.exe:*:Enabled:CrossLoop - Simple Secure Screen Sharing -- (CrossLoop)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01A4AEDE-F219-49A2-B855-16A016EAF9A4}" = Intel® PROSet II
"{0369E93A-46CE-4417-BFC2-4841F2C847F2}" = Compaq Help and Support Center
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.5.5
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 24
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{71A470E1-27E7-424E-803A-F9C0D41968D3}" = Compaq Remote Diagnostics Enabling Agent
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® 845G Chipset Graphics Driver Software
"{8F41F431-071E-5B44-2EEE-5C51173D6498}" = MozyHome
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PRJSTDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PRJSTDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PRJSTDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PRJSTDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
"{90120000-00B4-0409-0000-0000000FF1CE}_PRJSTDR_{27A9D316-D332-433B-8EB1-1D93EE49F26D}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PRJSTDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-003A-0000-0000-0000000FF1CE}" = Microsoft Office Project Standard 2007
"{91120000-003A-0000-0000-0000000FF1CE}_PRJSTDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-003A-0000-0000-0000000FF1CE}_PRJSTDR_{9E73617F-2F38-4864-BD61-BB2DDFE43323}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B44529FF-501E-47CD-A06D-223C161BE058}" = FinePixViewer Resource
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{E3B3AB03-8ABC-46CF-8CA9-DB5581E1F368}" = FinePix Studio
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FEB2D0CA-9912-4AA1-8FBE-CFD852F9F1FC}" = Panda Cloud Antivirus
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon Games & Software Downloader_is1" = Amazon Games & Software Downloader
"CrossLoop_is1" = CrossLoop 2.51
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"IntMgmt" = Compaq Management Agents
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Panda Cloud Antivirus" = Panda Cloud Antivirus
"PRJSTDR" = Microsoft Office Project Standard 2007 Trial
"PROHYBRIDR" = 2007 Microsoft Office system
"PROSet" = Intel® PRO Ethernet Adapter and Software
"Setup Compaq Software" = Setup Compaq Software
"Shockwave" = Shockwave
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLinux 2000" = WinLinux 2000
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3352189345-227156992-886978096-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ACT!" = ACT!

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/27/2011 12:29:22 PM | Computer Name = YOUR-7BF6D1ED | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 2/27/2011 12:29:22 PM | Computer Name = YOUR-7BF6D1ED | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 2/27/2011 1:08:22 PM | Computer Name = YOUR-7BF6D1ED | Source = MPSampleSubmission | ID = 5000
Description =

Error - 2/27/2011 1:09:15 PM | Computer Name = YOUR-7BF6D1ED | Source = Microsoft Security Client | ID = 5000
Description =

Error - 2/27/2011 1:10:19 PM | Computer Name = YOUR-7BF6D1ED | Source = MPSampleSubmission | ID = 5000
Description =

Error - 2/27/2011 1:29:34 PM | Computer Name = YOUR-7BF6D1ED | Source = MPSampleSubmission | ID = 5000
Description =

Error - 2/27/2011 1:56:31 PM | Computer Name = YOUR-7BF6D1ED | Source = MPSampleSubmission | ID = 5000
Description =

Error - 2/28/2011 1:01:01 AM | Computer Name = YOUR-7BF6D1ED | Source = VSS | ID = 12293
Description = Volume Shadow Copy Service error: Error calling a routine on the Shadow
Copy Provider {b5946137-7b9f-4925-af80-51abd60b20d5}. Routine details Cannot ask
provider {00000000-0000-0000-0000-000000000000} if volume is supported. [0x8000ffff]
[hr = 0x8000ffff].

Error - 2/28/2011 2:51:28 PM | Computer Name = YOUR-7BF6D1ED | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office Shared MUI (English) 2007 -- Error 1706.
Setup cannot find the required files. Check your connection to the network, or
CD-ROM drive. For other potential solutions to this problem, see C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Setup00000730\SETUP.CHM.

Error - 2/28/2011 3:14:55 PM | Computer Name = YOUR-7BF6D1ED | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office Shared MUI (English) 2007 -- Error 1706.
Setup cannot find the required files. Check your connection to the network, or
CD-ROM drive. For other potential solutions to this problem, see C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Setup00000bb4\SETUP.CHM.

[ System Events ]
Error - 2/27/2011 8:34:17 PM | Computer Name = YOUR-7BF6D1ED | Source = RemoteAccess | ID = 20002
Description = Cannot access registry key values.

Error - 2/27/2011 8:34:17 PM | Computer Name = YOUR-7BF6D1ED | Source = RemoteAccess | ID = 20151
Description = The Control Protocol EAP in the Point to Point Protocol module C:\WINDOWS\System32\rasppp.dll
returned an error while initializing. The system cannot find the file specified.


Error - 2/27/2011 8:34:17 PM | Computer Name = YOUR-7BF6D1ED | Source = Rasman | ID = 20063
Description = Remote Access Connection Manager failed to start because the Point
to Point Protocol failed to initialize. The system cannot find the file specified.


Error - 2/27/2011 8:34:17 PM | Computer Name = YOUR-7BF6D1ED | Source = Service Control Manager | ID = 7023
Description = The Remote Access Connection Manager service terminated with the following
error: %%2

Error - 2/28/2011 9:33:25 AM | Computer Name = YOUR-7BF6D1ED | Source = Service Control Manager | ID = 7034
Description = The Amazon Download Agent service terminated unexpectedly. It has
done this 1 time(s).

Error - 2/28/2011 9:48:45 AM | Computer Name = YOUR-7BF6D1ED | Source = Rasman | ID = 20035
Description = Remote Access Connection Manager failed to start because it could
not create buffers. Restart the computer. Access is denied.

Error - 2/28/2011 2:57:01 PM | Computer Name = YOUR-7BF6D1ED | Source = Rasman | ID = 20035
Description = Remote Access Connection Manager failed to start because it could
not create buffers. Restart the computer. Access is denied.

Error - 2/28/2011 2:57:48 PM | Computer Name = YOUR-7BF6D1ED | Source = Rasman | ID = 20035
Description = Remote Access Connection Manager failed to start because it could
not create buffers. Restart the computer. Access is denied.

Error - 2/28/2011 3:47:02 PM | Computer Name = YOUR-7BF6D1ED | Source = Rasman | ID = 20035
Description = Remote Access Connection Manager failed to start because it could
not create buffers. Restart the computer. Access is denied.

Error - 2/28/2011 3:47:04 PM | Computer Name = YOUR-7BF6D1ED | Source = Rasman | ID = 20035
Description = Remote Access Connection Manager failed to start because it could
not create buffers. Restart the computer. Access is denied.


< End of report >

#5 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:10:51 PM

Posted 28 February 2011 - 03:05 PM

It appears the TDSSKiller log didn't get posted.

Can you please post it again for me?

It can be located in your C:\ drive.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:10:51 PM

Posted 28 February 2011 - 03:08 PM

crankygirl39,

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (Amazon Download Agent)
    IE - HKU\S-1-5-21-3352189345-227156992-886978096-500\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-3352189345-227156992-886978096-500\..\URLSearchHook: {EEE6C35D-6118-11DC-9C72-001320C79847} - Reg Error: Key error. File not found
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-3352189345-227156992-886978096-500\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O4 - HKLM..\Run: [AmazonGSDownloaderTray] File not found
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O33 - MountPoints2\{5c0a7f28-ca92-11dc-886b-000bcd996851}\Shell - "" = AutoRun
    O33 - MountPoints2\{5c0a7f28-ca92-11dc-886b-000bcd996851}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{5c0a7f28-ca92-11dc-886b-000bcd996851}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
    [2011/02/24 16:36:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\lCdDoLp08200
    [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 crankygirl39

crankygirl39
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 28 February 2011 - 03:12 PM

ok.
I got rid of the AVG 2011 this morning - saw a post it might be bad. I'm now using Panda.
Here is the killer report -
2011/02/27 16:30:39.0765 3904 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08
2011/02/27 16:30:40.0062 3904 ================================================================================
2011/02/27 16:30:40.0062 3904 SystemInfo:
2011/02/27 16:30:40.0062 3904
2011/02/27 16:30:40.0062 3904 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/27 16:30:40.0062 3904 Product type: Workstation
2011/02/27 16:30:40.0062 3904 ComputerName: YOUR-7BF6D1ED
2011/02/27 16:30:40.0062 3904 UserName: Administrator
2011/02/27 16:30:40.0062 3904 Windows directory: C:\WINDOWS
2011/02/27 16:30:40.0062 3904 System windows directory: C:\WINDOWS
2011/02/27 16:30:40.0062 3904 Processor architecture: Intel x86
2011/02/27 16:30:40.0062 3904 Number of processors: 1
2011/02/27 16:30:40.0062 3904 Page size: 0x1000
2011/02/27 16:30:40.0062 3904 Boot type: Normal boot
2011/02/27 16:30:40.0062 3904 ================================================================================
2011/02/27 16:30:40.0609 3904 Initialize success
2011/02/27 16:30:44.0671 2972 ================================================================================
2011/02/27 16:30:44.0671 2972 Scan started
2011/02/27 16:30:44.0671 2972 Mode: Manual;
2011/02/27 16:30:44.0671 2972 ================================================================================
2011/02/27 16:30:46.0125 2972 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/02/27 16:30:46.0343 2972 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/27 16:30:46.0546 2972 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/27 16:30:46.0718 2972 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
2011/02/27 16:30:46.0921 2972 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\System32\DRIVERS\adpu320.sys
2011/02/27 16:30:47.0187 2972 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/27 16:30:47.0375 2972 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/27 16:30:47.0656 2972 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
2011/02/27 16:30:47.0828 2972 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
2011/02/27 16:30:48.0515 2972 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/27 16:30:48.0671 2972 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/27 16:30:48.0953 2972 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/27 16:30:49.0109 2972 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/27 16:30:49.0281 2972 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/02/27 16:30:49.0484 2972 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/02/27 16:30:49.0703 2972 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/02/27 16:30:49.0859 2972 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/02/27 16:30:50.0062 2972 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/02/27 16:30:50.0296 2972 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/02/27 16:30:50.0531 2972 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/02/27 16:30:50.0734 2972 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/27 16:30:50.0890 2972 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/27 16:30:51.0031 2972 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/27 16:30:51.0187 2972 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/27 16:30:51.0406 2972 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/27 16:30:51.0687 2972 ClntMgmt (370c2a15d676a2bf0db65be6922edf05) C:\WINDOWS\system32\Drivers\ClntMgmt.sys
2011/02/27 16:30:52.0421 2972 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/27 16:30:52.0609 2972 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/27 16:30:52.0843 2972 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/27 16:30:53.0031 2972 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/27 16:30:53.0187 2972 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/27 16:30:53.0406 2972 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\drivers\dpti2o.sys
2011/02/27 16:30:53.0593 2972 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/27 16:30:53.0765 2972 E100B (fe9cb643a034285031502d3369e5a869) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/27 16:30:53.0953 2972 eaps2kbd (53ce0799c9384cac99942ff032285f21) C:\WINDOWS\system32\DRIVERS\eaps2kbd.sys
2011/02/27 16:30:54.0171 2972 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/27 16:30:54.0468 2972 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/27 16:30:54.0640 2972 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/27 16:30:54.0812 2972 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/27 16:30:54.0968 2972 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/27 16:30:55.0140 2972 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/27 16:30:55.0265 2972 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/27 16:30:55.0468 2972 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/27 16:30:55.0671 2972 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/27 16:30:56.0031 2972 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/27 16:30:56.0421 2972 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/27 16:30:56.0593 2972 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/02/27 16:30:56.0765 2972 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/02/27 16:30:56.0953 2972 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/02/27 16:30:57.0125 2972 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/02/27 16:30:57.0312 2972 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/02/27 16:30:57.0500 2972 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/02/27 16:30:57.0656 2972 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/02/27 16:30:57.0843 2972 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/02/27 16:30:58.0125 2972 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/02/27 16:30:58.0312 2972 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/02/27 16:30:58.0515 2972 ialm (71e67a8e0d63367b003c7dab3a43dc40) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/02/27 16:30:58.0734 2972 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/27 16:30:59.0062 2972 IntelC51 (8e51bf1696821a72656444e0fd5081a3) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/02/27 16:30:59.0312 2972 IntelC52 (331ce31882754000ca2afbf7bd480513) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/02/27 16:30:59.0546 2972 IntelC53 (8001fac548eb0285d0085f4eb53c1e3f) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/02/27 16:30:59.0718 2972 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/27 16:30:59.0875 2972 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/27 16:31:00.0062 2972 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/27 16:31:00.0218 2972 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/27 16:31:00.0328 2972 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/27 16:31:00.0578 2972 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/27 16:31:00.0765 2972 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/27 16:31:00.0968 2972 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/27 16:31:01.0156 2972 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/27 16:31:01.0250 2972 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/27 16:31:01.0343 2972 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/27 16:31:01.0484 2972 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/27 16:31:01.0671 2972 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/27 16:31:01.0968 2972 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/27 16:31:02.0171 2972 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/27 16:31:02.0390 2972 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/02/27 16:31:02.0578 2972 mohfilt (bdd406003c0c340cf6c5501165e83dcd) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/02/27 16:31:02.0765 2972 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/27 16:31:02.0921 2972 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/27 16:31:03.0078 2972 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/27 16:31:03.0265 2972 mozyFilter (b8e08bfcab2be31804cea983d2094faf) C:\WINDOWS\system32\DRIVERS\mozy.sys
2011/02/27 16:31:03.0453 2972 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/02/27 16:31:03.0703 2972 MpKsl116b6b91 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDBE4EF1-A7D7-4354-8C37-36D236C4ECD8}\MpKsl116b6b91.sys
2011/02/27 16:31:03.0750 2972 MpKslc0c48b96 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDBE4EF1-A7D7-4354-8C37-36D236C4ECD8}\MpKslc0c48b96.sys
2011/02/27 16:31:04.0015 2972 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/27 16:31:04.0218 2972 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/27 16:31:04.0453 2972 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/27 16:31:04.0656 2972 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/27 16:31:04.0875 2972 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/27 16:31:04.0984 2972 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/27 16:31:05.0078 2972 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/27 16:31:05.0250 2972 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/27 16:31:05.0453 2972 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/27 16:31:05.0656 2972 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/27 16:31:05.0843 2972 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/27 16:31:06.0015 2972 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/27 16:31:06.0218 2972 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/27 16:31:06.0437 2972 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/27 16:31:06.0656 2972 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/27 16:31:06.0906 2972 NMSCFG (7ee0f0862503ddd1e7dd0564870b4acb) C:\WINDOWS\system32\drivers\NMSCFG.SYS
2011/02/27 16:31:07.0187 2972 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/27 16:31:07.0390 2972 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/27 16:31:07.0625 2972 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/27 16:31:07.0828 2972 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/27 16:31:08.0000 2972 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/27 16:31:08.0125 2972 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/02/27 16:31:08.0281 2972 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/27 16:31:08.0453 2972 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/27 16:31:08.0640 2972 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/27 16:31:08.0812 2972 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/27 16:31:09.0078 2972 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/27 16:31:09.0281 2972 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/27 16:31:09.0937 2972 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/27 16:31:10.0109 2972 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/02/27 16:31:10.0234 2972 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/27 16:31:10.0406 2972 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/27 16:31:11.0031 2972 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/27 16:31:11.0140 2972 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/27 16:31:11.0250 2972 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/27 16:31:11.0343 2972 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/27 16:31:11.0500 2972 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/27 16:31:11.0703 2972 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/27 16:31:11.0859 2972 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/27 16:31:12.0078 2972 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/27 16:31:12.0296 2972 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/27 16:31:12.0562 2972 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/27 16:31:12.0796 2972 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/27 16:31:12.0968 2972 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/27 16:31:13.0062 2972 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/27 16:31:13.0375 2972 smwdm (aac8c0f579705a4eed71cdb6954481c7) C:\WINDOWS\system32\drivers\smwdm.sys
2011/02/27 16:31:13.0687 2972 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/27 16:31:13.0890 2972 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/27 16:31:14.0109 2972 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/27 16:31:14.0328 2972 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/27 16:31:14.0484 2972 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/27 16:31:14.0671 2972 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
2011/02/27 16:31:14.0859 2972 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\drivers\symc8xx.sys
2011/02/27 16:31:15.0062 2972 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\System32\DRIVERS\symmpi.sys
2011/02/27 16:31:15.0359 2972 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
2011/02/27 16:31:15.0468 2972 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/27 16:31:15.0671 2972 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/27 16:31:15.0953 2972 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/27 16:31:16.0093 2972 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/27 16:31:16.0265 2972 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/27 16:31:16.0578 2972 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/27 16:31:16.0875 2972 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/27 16:31:17.0156 2972 USB200M (f15fa1133b544b670132da0a0fbb7088) C:\WINDOWS\system32\DRIVERS\USB200M2.sys
2011/02/27 16:31:17.0421 2972 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/27 16:31:17.0593 2972 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/27 16:31:17.0781 2972 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/27 16:31:17.0968 2972 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/27 16:31:18.0125 2972 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/27 16:31:18.0281 2972 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/27 16:31:18.0468 2972 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/27 16:31:18.0640 2972 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/27 16:31:18.0843 2972 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
2011/02/27 16:31:19.0031 2972 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/27 16:31:19.0250 2972 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/27 16:31:19.0515 2972 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/27 16:31:19.0828 2972 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/27 16:31:20.0031 2972 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/27 16:31:20.0250 2972 {6080A529-897E-4629-A488-ABA0C29B635E} (84461c577a4f1820ab612f3b85d8e1d2) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/02/27 16:31:20.0437 2972 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (6f005bf44bc3ea1a0c6a0410eff4d729) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/02/27 16:31:20.0500 2972 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/27 16:31:20.0656 2972 ================================================================================
2011/02/27 16:31:20.0656 2972 Scan finished
2011/02/27 16:31:20.0656 2972 ================================================================================
2011/02/27 16:31:20.0687 1948 Detected object count: 1
2011/02/27 16:31:51.0406 1948 \HardDisk0 - will be cured after reboot
2011/02/27 16:31:51.0406 1948 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/02/27 16:31:56.0328 3400 Deinitialize success

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:10:51 PM

Posted 28 February 2011 - 03:13 PM

Okay, the TDSSKiller report confirms that it removed the main infection you had. Please be sure you see the post above yours.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 crankygirl39

crankygirl39
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 28 February 2011 - 03:17 PM

The OTL Scans/Fixes is running with your code now.
Do I still need to do the other stuff (Running Combo Fix with a monkey flip)? :)

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:10:51 PM

Posted 28 February 2011 - 03:17 PM

Do I still need to do the other stuff (Running Combo Fix with a monkey flip)?

Yes

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 crankygirl39

crankygirl39
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 28 February 2011 - 03:55 PM

ggrrr.
I did not get the "congradulations" box.
I got an Error box.
C:\Boot.ini is not correctly formatted.

Edited by crankygirl39, 28 February 2011 - 04:43 PM.


#12 crankygirl39

crankygirl39
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 28 February 2011 - 04:03 PM

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Service Amazon Download Agent stopped successfully!
Service Amazon Download Agent deleted successfully!
Registry value HKEY_USERS\S-1-5-21-3352189345-227156992-886978096-500\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-21-3352189345-227156992-886978096-500\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EEE6C35D-6118-11DC-9C72-001320C79847} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-3352189345-227156992-886978096-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\AmazonGSDownloaderTray deleted successfully.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c0a7f28-ca92-11dc-886b-000bcd996851}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5c0a7f28-ca92-11dc-886b-000bcd996851}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c0a7f28-ca92-11dc-886b-000bcd996851}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5c0a7f28-ca92-11dc-886b-000bcd996851}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c0a7f28-ca92-11dc-886b-000bcd996851}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5c0a7f28-ca92-11dc-886b-000bcd996851}\ not found.
File E:\LaunchU3.exe -a not found.
Folder C:\Documents and Settings\All Users\Application Data\lCdDoLp08200\ not found.
C:\WINDOWS\002180_.tmp deleted successfully.
C:\WINDOWS\005712_.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 156436786 bytes
->Temporary Internet Files folder emptied: 8012520 bytes
->Java cache emptied: 51504 bytes
->FireFox cache emptied: 65017469 bytes
->Flash cache emptied: 38163 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 416068177 bytes
->Flash cache emptied: 52169 bytes

User: NetworkService
->Temp folder emptied: 25404 bytes
->Temporary Internet Files folder emptied: 613285277 bytes
->Flash cache emptied: 15423 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1828084 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 35894 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,203.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.2 log created on 02282011_151339

Files\Folders moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_4d0.dat moved successfully.

Registry entries deleted on Reboot...

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:10:51 PM

Posted 28 February 2011 - 04:45 PM

ggrrr.
I did not get the "congradulations" box.
I got an Error box.
C:\Boot.ini is not correctly formatted.

When do you see this error message?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 crankygirl39

crankygirl39
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 28 February 2011 - 04:50 PM

After, "the machine does not have the microsoft windows recovery console installed" pop up box,



Your instructions said I would see the message below.
* Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Instead it read:
C:\Boot.ini is not correctly formatted.

I clicked OK and completed the process. I posted the log above.

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:10:51 PM

Posted 28 February 2011 - 04:57 PM

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following:

@echo off
type %systemdrive%\boot.ini >log.txt
echo.>>log.txt
if exist %systemdrive%\cmdcons (echo CMDCONS PRESENT!)>>log.txt
notepad log.txt

In Notepad click on the "File" menu > Save As... Under "File name" type boot.bat and Change "Save as type" to All Files, save it to a place you will remember.

Double click on boot.bat


Please post the contents of log.txt in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users