Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trend Chip Away Virus has detected a boot virus


  • This topic is locked This topic is locked
21 replies to this topic

#1 cad4567

cad4567

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 02 March 2011 - 04:41 PM

Hi All,

I am infected with a virus. On start-up of the computer, a red screen with the following message is displayed "Trend Chip away Virus has detected a boot virus" and further following information is displayed, "Complete virus protection for the enterprise go to Trend Micro www.antivirus.com." The DOS screen tells you to click on <C> continue booting and basically, it displays two screens that tells you to go back and forth. At the bottom of the screen a dos icon, similar to the mario games icon, moves back and forth on top of a dotted line and when it reaches the end, it displays, "TVGA on guard." Eventually, it allows you to do the boot up. After encountering this problem, I came to the site and searched for the same name and it was indicated in the forum that its a Boot virus. I would appreciate if someone could help me in removing this virus. As I use MBAM for AV detection, I ran the same in safe mode and it detected 26 viruses. As per the forum requirements, I ran DDS and I have attached the report along with the topic. I ran GMER, but it hung-up and I had to reboot. After the MBAM I am still having the Red screen while booting the machine.

Thanks in advance for the help.

David

I am not able to attach reports along with the main message

The MBAM File. I can't still attach nor post the DDS file. I will try again after some time.
Sorry for the inconvenience.

Merged 3 posts. ~ OB

Hello everyone

Does anyone have an idea of an exe called Q4Vn4e07. I can see this exe file in my Task Manager as well as in my ProcessExplorer and it seems to be mutating. I delete a couple of them it seems to be doubling in amount. I checked up my output connections and there seems to be at least 25 -30 svchost running with the same process number 872. I feel it in my gut there is something wrong with my comp.

Could some one who has encountered give an Idea what could be the problem.

Thanks for your response in advance.

David

Merged posts again. @ David, please be patient. It may be several days before you get a reply. ~ OB

Attached Files


Edited by Orange Blossom, 02 March 2011 - 09:57 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:54 PM

Posted 09 March 2011 - 09:23 AM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, we need a log from the GMER anti-rootkit scanner, but, first, we need to disable your CD Emulation drivers.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next, please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the GMER log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 cad4567

cad4567
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 09 March 2011 - 11:44 AM

Hi Shannon,

Thanks for the reply. I use my computer for everything like development, transactions and the thought that a virus was lurking inside, especially, for important transactions made me tip over. I had to resort to extreme measures. The thought that I would be monitored, of my moves, by the attack caused me to download combo-fix on my own. I do understand that your site is busy but I had no option because I do not like to use public computers or a friends computer for transactions, and due dates were fast approaching. I ran and it detected tdl3 variants and it was removed from the computer. I have been running MBAM and SAS almost everyday, and so far no untoward incidents have been noted on the computer. I do understand your policy matters with regards to use of combo-fix and I had risked my computer by downloading and fixing on my own. If you still want the reports I can post the same. Again, if policy permits, you could help me in checking for any other variants and clean up procedures but I do understand if you choose otherwise. Once again thanks for the help. Looking forward to hearing from you.

David

#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:54 PM

Posted 09 March 2011 - 12:20 PM

Hi-

Go ahead and copy the ComboFix report into your reply. It should be at c:\ComboFix.txt. Also, please run the OTL scan and copy in its two output reports.
Shannon

#5 cad4567

cad4567
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 10 March 2011 - 03:19 AM

Hi Shannon,

Thanks for your quick response. With regards to combofix.txt, I searched my computer but unfortunately I can't find the file but I did find couple of combofix files and their outputs are shown below.

I ran the OTL and the output of the Extra and OTL.txt files are also shown below.

==========================Combofix Quarantined files =================================================


2011-03-03 04:18:30 . 2011-03-03 04:18:30 664 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Software Informer.reg.dat
2011-03-03 04:18:30 . 2011-03-03 04:18:30 624 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Skype.reg.dat
2011-03-03 04:18:30 . 2011-03-03 04:18:30 600 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BitTorrent DNA.reg.dat
2011-03-03 04:18:29 . 2011-03-03 04:18:29 546 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-klmdb.sys.reg.dat
2011-03-03 04:18:04 . 2011-03-03 04:18:04 152 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Oxebabababa.reg.dat
2011-03-03 04:04:34 . 2011-03-03 04:04:34 708 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_sstDD.reg.dat
2011-03-03 04:04:34 . 2011-03-03 04:04:34 1,298 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_sstDD.reg.dat
2011-03-03 04:02:25 . 2011-03-03 04:02:25 3,886 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_6to4.reg.dat
2011-03-03 04:02:25 . 2011-03-03 04:02:25 790 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SSHNAS.reg.dat
2011-03-03 04:02:25 . 2011-03-03 04:02:25 990 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat
2011-03-03 04:02:09 . 2011-03-03 04:02:09 4,892 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-03-03 03:42:33 . 2011-03-03 03:42:33 512 ----a-w- C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2011-03-03 03:34:03 . 2011-03-03 03:47:19 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-03-02 19:52:51 . 2011-03-03 02:28:47 1,602 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\OfferBox\config.xml.vir
2011-03-02 17:29:20 . 2011-03-02 17:29:20 2,917 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\C1E9F7332CA1702738233D92F4E253FE\lsrslt.ini.vir
2011-03-02 17:27:01 . 2011-03-03 02:29:02 1,886 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\OfferBox\config.xml.vir
2011-03-02 17:25:10 . 2011-03-02 17:25:10 28,842 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\C1E9F7332CA1702738233D92F4E253FE\enemies-names.txt.vir
2011-03-02 17:25:10 . 2011-03-02 17:25:11 26,602 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\C1E9F7332CA1702738233D92F4E253FE\local.ini.vir
2011-01-21 11:55:26 . 2011-01-21 11:55:26 135,000 ----a-w- C:\Qoobox\Quarantine\C\Program Files\OfferBox\OfferBoxBHO.dll.vir
2010-12-05 13:54:54 . 2010-12-05 13:55:02 53,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\sstDD.sys.vir
2010-09-02 16:11:49 . 2010-09-02 16:11:49 4,444 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Bitrix Security\elnbauqx6_shrd.vir
2010-09-01 14:13:04 . 2010-09-01 14:13:04 1 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\Bitrix Security\qnf.txt.vir
2010-09-01 14:13:03 . 2010-09-01 14:13:04 4,444 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\Bitrix Security\elnbauqx6_shrd.vir
2010-09-01 14:12:58 . 2010-09-01 14:12:58 101,262 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\Bitrix Security\ybjfxg.vir
2004-08-03 22:56:48 . 2008-04-14 00:12:08 362,496 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\ozayuhasajub.dll.vir


=================================Extra======================================


OTL Extras logfile created on: 3/10/2011 12:03:48 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 195.00 Mb Available Physical Memory | 38.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 50.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.07 Gb Total Space | 1.58 Gb Free Space | 8.28% Space Free | Partition Type: NTFS

Computer Name: TRIDENT | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1844237615-839522115-1708537768-500\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = ChromeHTML] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\eclipse\eclipse.exe" = C:\eclipse\eclipse.exe:*:Enabled:eclipse -- ()
"C:\jdk1.6\jre\bin\javaw.exe" = C:\jdk1.6\jre\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\jdk1.6\bin\java.exe" = C:\jdk1.6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\jdk1.6\java\bin\javaw.exe" = C:\jdk1.6\java\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Dial91\Dial91.exe" = C:\Program Files\Dial91\Dial91.exe:*:Enabled:Sip Client -- ()
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Cisco Packet Tracer 5.3.1\bin\PacketTracer5.exe" = C:\Program Files\Cisco Packet Tracer 5.3.1\bin\PacketTracer5.exe:*:Enabled:PacketTracer5 -- ()
"C:\NetBeans\NetBeans 6.9.1\bin\netbeans.exe" = C:\NetBeans\NetBeans 6.9.1\bin\netbeans.exe:*:Enabled:netbeans -- ()
"C:\Program Files\Nymgo4.0\Nymgo.exe" = C:\Program Files\Nymgo4.0\Nymgo.exe:*:Enabled:Nymgo -- ()
"C:\Studying in Canada\KU\StudyBook\Second Semester\Distributed Systems 3210 - Xing Lui\DotNet Project\Code\RServer\bin\Debug\RServer.vshost.exe" = C:\Studying in Canada\KU\StudyBook\Second Semester\Distributed Systems 3210 - Xing Lui\DotNet Project\Code\RServer\bin\Debug\RServer.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)
"C:\Studying in Canada\KU\StudyBook\Second Semester\Distributed Systems 3210 - Xing Lui\DotNet Project\FirstDotNetCode\Server\ConsoleApplication1\ConsoleApplication1\bin\Release\ConsoleApplication1.exe" = C:\Studying in Canada\KU\StudyBook\Second Semester\Distributed Systems 3210 - Xing Lui\DotNet Project\FirstDotNetCode\Server\ConsoleApplication1\ConsoleApplication1\bin\Release\ConsoleApplication1.exe:*:Enabled:ConsoleApplication1 -- (Dogwood)
"C:\DotNetProjects\Second Deliverable\Server\Server\bin\Debug\Server.vshost.exe" = C:\DotNetProjects\Second Deliverable\Server\Server\bin\Debug\Server.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)
"C:\DotNetProjects\Second Deliverable\SimpleConsoleBased\Server\Server\bin\Debug\Server.vshost.exe" = C:\DotNetProjects\Second Deliverable\SimpleConsoleBased\Server\Server\bin\Debug\Server.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)
"C:\DotNetProjects\Third Deliverable\Server\Server\bin\Debug\Server.vshost.exe" = C:\DotNetProjects\Third Deliverable\Server\Server\bin\Debug\Server.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)
"C:\DotNetProjects\Third Deliverable\SimpleConsoleBased\Server\Server\bin\Debug\Server.vshost.exe" = C:\DotNetProjects\Third Deliverable\SimpleConsoleBased\Server\Server\bin\Debug\Server.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)
"C:\DotNetProjects\FourthDeliverable\Server\Server\bin\Debug\Server.vshost.exe" = C:\DotNetProjects\FourthDeliverable\Server\Server\bin\Debug\Server.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)
"C:\DotNetProjects\FourthDeliverable\Asynchronous\server\server\bin\Debug\server.vshost.exe" = C:\DotNetProjects\FourthDeliverable\Asynchronous\server\server\bin\Debug\server.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)
"C:\DotNetProjects\FourthDeliverable\OneWayCall\Server\Server\bin\Debug\Server.vshost.exe" = C:\DotNetProjects\FourthDeliverable\OneWayCall\Server\Server\bin\Debug\Server.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)
"C:\DotNetProjects\FourthDeliverable\MultiServer\Server\Server\bin\Debug\Server.vshost.exe" = C:\DotNetProjects\FourthDeliverable\MultiServer\Server\Server\bin\Debug\Server.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)
"C:\DotNetProjects\FourthDeliverable\MultiServer\Server1\Server1\bin\Debug\Server1.vshost.exe" = C:\DotNetProjects\FourthDeliverable\MultiServer\Server1\Server1\bin\Debug\Server1.vshost.exe:*:Enabled:vshost.exe -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{01D76D8E-A496-4870-8357-87C6D2B5E807}" = MySQL Server 5.1
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{2A5E0816-E0AC-4B38-8976-133EAF35AEE5}" = Nymgo4.0
"{32A3A4F4-B792-11D6-A78A-00B0D0160110}" = Java™ SE Development Kit 6 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}" = Microsoft Visual C# 2005 Express Edition - ENU
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{903B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Project Professional 2002
"{998D6972-F58E-479D-9248-8F179E55AE38}" = Java DB 10.4.1.3
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}" = Norton AntiVirus Corporate Edition
"{BE93B1FC-E14C-4CAC-864E-686C6DA51C2D}" = Dial91
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner (remove only)
"Cisco Packet Tracer 5.3.1_is1" = Cisco Packet Tracer 5.3.1
"CSCLIB" = Canon Camera Support Core Library
"Dia" = Dia (remove only)
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"EOS Utility" = Canon Utilities EOS Utility
"Free Download Manager_is1" = Free Download Manager 3.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Java Platform, Enterprise Edition 5 SDK" = Java Platform, Enterprise Edition 5 SDK
"Karen's Cookie Viewer" = Karen's Cookie Viewer
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.2.5 Standard
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"LiveUpdate1.6" = LiveUpdate 1.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual C# 2005 Express Edition - ENU" = Microsoft Visual C# 2005 Express Edition - ENU
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MP4 Player" = MP4 Player
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"nbi-glassfish-mod-3.0.1.22.0" = GlassFish Server Open Source Edition 3.0.1
"nbi-nb-base-6.9.1.0.0" = NetBeans IDE 6.9.1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PCI Audio Driver" = PCI Audio Driver
"PhotoStitch" = Canon Utilities PhotoStitch
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealAlt_is1" = Real Alternative 1.9.0
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"SpywareBlaster_is1" = SpywareBlaster 4.2
"StarUML_is1" = StarUML 5.0.2.1570
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1844237615-839522115-1708537768-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/2/2011 10:07:05 PM | Computer Name = TRIDENT | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/2/2011 10:08:01 PM | Computer Name = TRIDENT | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 3/2/2011 10:08:02 PM | Computer Name = TRIDENT | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/2/2011 10:42:51 PM | Computer Name = TRIDENT | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15530, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/3/2011 2:28:26 AM | Computer Name = TRIDENT | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 0.0.0.0, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 3/3/2011 11:00:17 PM | Computer Name = TRIDENT | Source = Application Error | ID = 1000
Description = Faulting application winword.exe, version 9.0.0.2717, faulting module
mso9.dll, version 9.0.0.2720, fault address 0x00020522.

Error - 3/4/2011 11:43:00 AM | Computer Name = TRIDENT | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/4/2011 10:09:55 PM | Computer Name = TRIDENT | Source = Application Hang | ID = 1002
Description = Hanging application Nymgo.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/5/2011 4:05:20 AM | Computer Name = TRIDENT | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 9.4.2.220, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/5/2011 1:53:05 PM | Computer Name = TRIDENT | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 3/10/2011 3:42:17 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/10/2011 3:42:17 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/10/2011 3:46:19 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/10/2011 3:46:19 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/10/2011 3:50:33 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/10/2011 3:50:33 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/10/2011 3:54:46 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/10/2011 3:54:47 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/10/2011 3:59:19 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/10/2011 3:59:19 AM | Computer Name = TRIDENT | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >

===============================OTL.txt========================================

OTL logfile created on: 3/10/2011 12:03:48 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 195.00 Mb Available Physical Memory | 38.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 50.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.07 Gb Total Space | 1.58 Gb Free Space | 8.28% Space Free | Partition Type: NTFS

Computer Name: TRIDENT | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/09 22:37:17 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/02/26 06:36:36 | 002,423,752 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2011/02/18 00:22:03 | 000,995,896 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2010/11/24 11:07:58 | 000,088,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/07/25 05:23:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\jdk1.6\java\bin\jqs.exe
PRC - [2009/02/09 10:37:16 | 000,139,264 | ---- | M] (Sun Microsystems, Inc.) -- C:\Sun\SDK\jdk\bin\javaw.exe
PRC - [2009/02/01 07:38:02 | 000,139,264 | ---- | M] (Sun Microsystems, Inc.) -- C:\jdk1.6\bin\java.exe
PRC - [2009/01/31 02:45:14 | 003,399,727 | ---- | M] (FreeDownloadManager.ORG) -- C:\Program Files\Free Download Manager\fdm.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 16:12:14 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2007/09/17 07:40:42 | 000,639,488 | ---- | M] () -- C:\Program Files\MP4 Player\Mp4Player.exe
PRC - [2002/10/15 17:00:20 | 001,818,624 | ---- | M] (C-Media Electronic Inc. (www.cmedia.com.tw)) -- C:\WINDOWS\mixer.exe
PRC - [2001/06/21 15:21:54 | 000,057,344 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\vptray.exe
PRC - [2001/06/21 15:16:52 | 000,442,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\rtvscan.exe
PRC - [2001/06/21 15:14:26 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\NavNT\defwatch.exe
PRC - [2000/09/18 16:12:40 | 000,014,336 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\MSGSYS.EXE
PRC - [1998/12/23 21:51:54 | 000,045,568 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE


========== Modules (SafeList) ==========

MOD - [2011/03/09 22:37:17 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2011/01/04 17:38:44 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/23 08:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/11/24 11:07:58 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/07/25 05:23:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\jdk1.6\java\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2007/09/12 18:27:24 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2001/06/21 15:16:52 | 000,442,368 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\NavNT\rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2001/06/21 15:14:26 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\NavNT\defwatch.exe -- (DefWatch)


========== Driver Services (SafeList) ==========

DRV - [2010/07/26 05:47:57 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/07/26 05:47:56 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/07/26 05:47:56 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/01/03 19:22:56 | 000,020,480 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CapAudio.sys -- (wsvad_driver)
DRV - [2008/04/13 10:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/03 14:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
DRV - [2004/08/03 14:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2004/08/03 14:29:46 | 000,025,471 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV10nt.sys -- (iAimTV5)
DRV - [2004/08/03 14:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2004/08/03 14:29:46 | 000,022,271 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV06nt.sys -- (iAimTV6)
DRV - [2004/08/03 14:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2004/08/03 14:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
DRV - [2004/08/03 14:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2004/08/03 14:29:42 | 000,011,871 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV09NT.sys -- (iAimFP7)
DRV - [2004/08/03 14:29:40 | 000,011,807 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV07nt.sys -- (iAimFP5)
DRV - [2004/08/03 14:29:40 | 000,011,295 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV08NT.sys -- (iAimFP6)
DRV - [2004/08/03 14:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 14:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2004/08/03 14:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2004/08/03 14:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2004/08/03 14:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/02/20 22:25:28 | 000,063,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2002/11/18 14:51:40 | 000,377,358 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)
DRV - [2002/07/17 07:05:10 | 000,016,512 | ---- | M] (Adaptec) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (ASPI)
DRV - [2001/08/17 04:12:02 | 000,063,208 | ---- | M] (Intel Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dc21x4.sys -- (DC21x4)
DRV - [2001/05/02 18:46:22 | 000,009,024 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\NavNT\Navapel.sys -- (NAVAPEL)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1844237615-839522115-1708537768-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-1844237615-839522115-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1844237615-839522115-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.ca"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.4.20081105
FF - prefs.js..extensions.enabledItems: {B1714ED9-3D8D-457B-AABE-06B298923E05}:1.9.1
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="


FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\jdk1.6\java\lib\deploy\jqs\ff [2009/02/01 07:41:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{B1714ED9-3D8D-457B-AABE-06B298923E05}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{B1714ED9-3D8D-457B-AABE-06B298923E05} [2010/10/30 17:54:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/02/28 08:49:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/02/13 10:00:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/02 22:16:09 | 000,000,000 | ---D | M]

[2009/07/27 12:50:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/02/27 10:23:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jaywz1aj.default\extensions
[2010/04/29 11:34:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jaywz1aj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/22 12:51:04 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jaywz1aj.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/02/27 10:23:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/30 17:54:18 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\{B1714ED9-3D8D-457B-AABE-06B298923E05}
[2009/02/01 07:41:51 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\JDK1.6\JAVA\LIB\DEPLOY\JQS\FF
[2011/02/28 08:49:53 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2010/11/20 11:05:52 | 000,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2011/03/02 20:10:30 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\jdk1.6\java\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-1844237615-839522115-1708537768-500\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOWS\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
O4 - HKLM..\Run: [vptray] C:\Program Files\NavNT\vptray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-1844237615-839522115-1708537768-500..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe (FreeDownloadManager.ORG)
O4 - HKU\S-1-5-21-1844237615-839522115-1708537768-500..\Run: [MP4 Player] C:\Program Files\MP4 Player\mp4Player.exe ()
O4 - HKU\S-1-5-21-1844237615-839522115-1708537768-500..\Run: [NymgoInstallerPath] C:\Program Files\Nymgo4.0\Nymgo.exe ()
O4 - HKU\S-1-5-21-1844237615-839522115-1708537768-500..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\SDK Tray Menu.lnk = C:\Sun\SDK\jdk\bin\javaw.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1844237615-839522115-1708537768-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1844237615-839522115-1708537768-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-839522115-1708537768-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1844237615-839522115-1708537768-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215198143561 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.168.122.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (EXPLORER.EXE) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-18 Winlogon: Shell - (EXPLORER.EXE) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/04 10:30:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/04/14 09:22:48 | 000,000,000 | ---D | M] - C:\AutoRuns -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1844237615-839522115-1708537768-500\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/03/09 22:37:14 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/03/07 21:47:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Nymgo4.0
[2011/03/04 11:16:10 | 000,000,000 | ---D | C] -- C:\MicrosoftProject
[2011/03/02 22:31:33 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/03/02 22:30:54 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/02 22:29:53 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/03/02 19:34:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/02 19:34:50 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/02 19:34:50 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/02 19:34:50 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/02 19:32:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/02 12:02:01 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Administrator\Desktop\esetsmartinstaller_enu.exe
[2011/03/02 11:51:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/03/02 11:51:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2011/03/02 09:29:17 | 000,090,112 | ---- | C] (Gakspmbil Eqeagscplpg) -- C:\WINDOWS\System32\usbmona.dll
[2011/03/02 09:29:17 | 000,090,112 | ---- | C] (Gakspmbil Eqeagscplpg) -- C:\WINDOWS\System32\ntlanuic.dll
[1998/12/09 02:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/09 02:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/09 02:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/09 02:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/09 02:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/09 02:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/09 23:56:08 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-839522115-1708537768-500UA.job
[2011/03/09 22:37:17 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/03/09 17:56:04 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-839522115-1708537768-500Core.job
[2011/03/09 07:29:43 | 000,012,288 | ---- | M] () -- C:\Documents and Settings\Administrator\NymgoDataBase
[2011/03/09 07:27:34 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Administrator\tray.pid
[2011/03/09 07:27:04 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/03/09 07:25:52 | 000,000,324 | ---- | M] () -- C:\WINDOWS\tasks\Guqhkpjs.job
[2011/03/09 07:25:52 | 000,000,318 | ---- | M] () -- C:\WINDOWS\tasks\Atpltn.job
[2011/03/09 07:25:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/05 08:02:29 | 000,001,591 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ Nymgo.lnk
[2011/03/05 07:59:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/04 12:57:44 | 000,001,730 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2011/03/03 15:00:00 | 000,002,322 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/03 14:59:59 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2011/03/02 22:16:10 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/03/02 22:07:40 | 000,006,948 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\wgalonbackup.reg
[2011/03/02 20:29:16 | 001,374,808 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.exe
[2011/03/02 20:10:30 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/02 19:26:06 | 004,279,013 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/03/02 17:58:06 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Vgilika.dat
[2011/03/02 12:02:31 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Administrator\Desktop\esetsmartinstaller_enu.exe
[2011/03/02 12:02:17 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2011/03/02 11:43:24 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\yY1dDm.dat
[2011/03/02 09:29:17 | 000,090,112 | ---- | M] (Gakspmbil Eqeagscplpg) -- C:\WINDOWS\System32\usbmona.dll
[2011/03/02 09:29:17 | 000,090,112 | ---- | M] (Gakspmbil Eqeagscplpg) -- C:\WINDOWS\System32\ntlanuic.dll
[2011/03/02 09:27:10 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Lvome.bin
[2011/02/09 07:38:46 | 000,120,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/09 07:34:40 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/04 12:57:41 | 000,002,465 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Project.lnk
[2011/03/02 22:07:40 | 000,006,948 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\wgalonbackup.reg
[2011/03/02 19:34:50 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/02 19:34:50 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/02 19:34:50 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/02 19:34:50 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/02 19:34:50 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/02 19:25:56 | 004,279,013 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/03/02 12:12:21 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2011/03/02 11:43:24 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yY1dDm.dat
[2011/03/02 09:29:18 | 000,000,324 | ---- | C] () -- C:\WINDOWS\tasks\Guqhkpjs.job
[2011/03/02 09:29:18 | 000,000,318 | ---- | C] () -- C:\WINDOWS\tasks\Atpltn.job
[2011/02/14 06:46:16 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\Administrator\NymgoDataBase
[2010/12/05 06:21:00 | 000,001,161 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1022378510.dat
[2010/10/30 17:54:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Lvome.bin
[2010/10/30 17:54:27 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Vgilika.dat
[2010/04/09 09:41:13 | 000,008,450 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\B0V24IO6JL
[2010/04/09 09:41:13 | 000,008,450 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\B0V24IO6JL
[2010/03/23 09:51:17 | 000,000,032 | ---- | C] () -- C:\WINDOWS\System32\inui09.dat
[2009/12/11 10:19:16 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/07/27 12:50:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/02/16 23:55:52 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/02/16 23:54:03 | 000,000,036 | -H-- | C] () -- C:\WINDOWS\System32\swk.ini
[2009/02/13 23:51:20 | 000,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/02/13 23:02:51 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/31 14:34:41 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2009/01/31 14:31:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2009/01/31 10:00:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2008/11/06 08:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 08:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/07/04 17:02:34 | 000,000,025 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2008/07/04 10:55:57 | 000,000,592 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/07/04 10:36:04 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/07/04 10:24:56 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/07/04 03:06:26 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/04 03:03:20 | 000,120,544 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/03 15:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 04:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2002/11/19 14:46:20 | 000,039,104 | ---- | C] () -- C:\WINDOWS\cmijack.dat
[2002/11/19 14:43:38 | 000,022,178 | ---- | C] () -- C:\WINDOWS\cmaudio.dat
[2002/04/01 18:45:50 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\ODBCMON.DLL
[2001/08/23 04:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 04:00:00 | 000,432,686 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 04:00:00 | 000,067,516 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 04:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/06/21 15:21:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2000/09/18 16:12:40 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\CSSMS_IN.DLL
[1999/01/22 18:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:54 PM

Posted 10 March 2011 - 03:08 PM

Hi-

It looks like ComboFix did a good job. It does look like it removed a possible backdoor infection so I need to issue a warning. A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

If you wish to continue cleaning -

Before we start, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following file and click the Submit file button within Jotti.

C:\eclipse\eclipse.exe

If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Next, please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it.
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.

In your reply, please copy in the MBRCheck report, let me know how the Jotti upload went, and how your computer is doing now.
Shannon

#7 cad4567

cad4567
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 10 March 2011 - 06:14 PM

Hi Shannon,

I ran MBAM today and unfortunately I found two more viruses. I am attaching the log files of MBAM and awaiting your response. I would like to know the seriousness of the problem. As you mentioned, is reformat and reinstall the only option? After this check, I am seriously worried. The file eclipse.exe was checked and Jotti's response was "scan finished 0 out of 20 scanners reported malware" and VirusTotal reported 0/43. I am assuming its okay. I am awaiting your next course of action.

Thanks again for your help.

David
=====================MBAM=====================


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6011

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/10/2011 2:26:47 PM
mbam-log-2011-03-10 (14-26-47).txt

Scan type: Full scan (C:\|)
Objects scanned: 266040
Time elapsed: 4 hour(s), 56 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\ntlanuic.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\usbmona.dll (Trojan.Agent) -> Quarantined and deleted successfully.

=========================MBR txt file =====================================


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 112):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF8A37000 \WINDOWS\system32\KDCOM.DLL
0xF8947000 \WINDOWS\system32\BOOTVID.dll
0xF8537000 xrgas.sys
0xF84E8000 ACPI.sys
0xF8A39000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF84D7000 pci.sys
0xF8547000 isapnp.sys
0xF8A3B000 intelide.sys
0xF87B7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8557000 MountMgr.sys
0xF84B8000 ftdisk.sys
0xF8A3D000 dmload.sys
0xF8492000 dmio.sys
0xF87BF000 PartMgr.sys
0xF8567000 VolSnap.sys
0xF847A000 atapi.sys
0xF8577000 disk.sys
0xF8587000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF845A000 fltmgr.sys
0xF8448000 sr.sys
0xF8597000 PxHelp20.sys
0xF8431000 KSecDD.sys
0xF83A4000 Ntfs.sys
0xF8377000 NDIS.sys
0xF835D000 Mup.sys
0xF8787000 \SystemRoot\system32\DRIVERS\p3.sys
0xF7EF6000 \SystemRoot\system32\DRIVERS\i81xnt5.sys
0xF7EE2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7E85000 \SystemRoot\system32\drivers\cmaudio.sys
0xF7E61000 \SystemRoot\system32\drivers\portcls.sys
0xF8617000 \SystemRoot\system32\drivers\drmk.sys
0xF7E3E000 \SystemRoot\system32\drivers\ks.sys
0xF8797000 \SystemRoot\system32\DRIVERS\dc21x4.sys
0xF885F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7E2A000 \SystemRoot\system32\DRIVERS\parport.sys
0xF87A7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8329000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF85C7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF8867000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF85D7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF85E7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF886F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7E06000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8C82000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF85F7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8321000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7DEF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8607000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF8627000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8877000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7DC0000 \SystemRoot\system32\DRIVERS\psched.sys
0xF8647000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF88B7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF892F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xEEC74000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7F1E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF883F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8A75000 \SystemRoot\system32\DRIVERS\swenum.sys
0xEEC16000 \SystemRoot\system32\DRIVERS\update.sys
0xF0C16000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7023000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8AA5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7F3E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF05B2000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF8917000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8A9D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF0458000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A9F000 \SystemRoot\System32\Drivers\Beep.SYS
0xF88BF000 \SystemRoot\System32\drivers\vga.sys
0xF8AA1000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8AD1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF26E3000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8887000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEF563000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB67CD000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB6774000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB674C000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB672A000 \SystemRoot\System32\drivers\afd.sys
0xF6E1B000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB6708000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF887F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB66DD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB666D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF8677000 \SystemRoot\System32\Drivers\Fips.SYS
0xB6647000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF64BB000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF8717000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF8937000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF8A13000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF2227000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF2247000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB662F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF0352000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF8A1F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF1A4F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8BE1000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\i81xdnt5.dll
0xBF0BE000 \SystemRoot\System32\ATMFD.DLL
0xF81F8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB641B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF8ACF000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB638A000 \SystemRoot\System32\Drivers\HTTP.sys
0xB6332000 \SystemRoot\system32\DRIVERS\srv.sys
0xF8AC3000 \??\C:\Program Files\NavNT\NAVAPEL.SYS
0xB6205000 \SystemRoot\system32\drivers\wdmaud.sys
0xF1ABF000 \SystemRoot\system32\drivers\sysaudio.sys
0xBF105000 \SystemRoot\System32\spool\DRIVERS\W32X86\2\olfdnt40.dll
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 45):
0 System Idle Process
4 System
336 C:\WINDOWS\system32\smss.exe
488 csrss.exe
516 C:\WINDOWS\system32\winlogon.exe
560 C:\WINDOWS\system32\services.exe
572 C:\WINDOWS\system32\lsass.exe
728 C:\WINDOWS\system32\svchost.exe
788 svchost.exe
852 C:\WINDOWS\system32\svchost.exe
900 svchost.exe
940 svchost.exe
1140 C:\WINDOWS\system32\spoolsv.exe
1224 svchost.exe
1284 C:\Program Files\NavNT\defwatch.exe
1340 C:\jdk1.6\java\bin\jqs.exe
1428 C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
1448 C:\Program Files\NavNT\rtvscan.exe
176 C:\WINDOWS\explorer.exe
980 C:\WINDOWS\system32\MSGSYS.EXE
1192 alg.exe
1656 C:\Program Files\NavNT\vptray.exe
1564 C:\WINDOWS\mixer.exe
1528 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
1940 C:\Program Files\Free Download Manager\fdm.exe
2056 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2084 C:\Program Files\MP4 Player\Mp4Player.exe
2140 C:\WINDOWS\system32\ctfmon.exe
2200 C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
2216 C:\Sun\SDK\jdk\bin\javaw.exe
3228 C:\WINDOWS\system32\wuauclt.exe
3360 C:\WINDOWS\system32\notepad.exe
3492 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3612 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3704 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3736 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3764 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
3772 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3832 C:\WINDOWS\system32\rundll32.exe
3956 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4004 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4036 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1120 C:\Program Files\Microsoft Office\Office\WINWORD.EXE
192 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2028 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor2B020H1, Rev: WAH21PB0

Size Device Name MBR Status
--------------------------------------------
19 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:54 PM

Posted 10 March 2011 - 08:39 PM

Hi-

Let's clean up a few more things. Thank you for Malwarebytes' Anti-Malware report. The MBRCheck was clean.

We need to run an OTL Fix.
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
:OTL
IE - HKU\S-1-5-21-1844237615-839522115-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
[2011/03/02 09:29:18 | 000,000,324 | ---- | C] () -- C:\WINDOWS\tasks\Guqhkpjs.job
[2011/03/02 09:29:18 | 000,000,318 | ---- | C] () -- C:\WINDOWS\tasks\Atpltn.job
[2011/03/02 09:27:10 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Lvome.bin
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

Your Java runtimes are out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version here - Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "JDK 6 Update 24 (JRE) ...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.

In your reply, copy in the contents of the OTL fix report.
Shannon

#9 cad4567

cad4567
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 10 March 2011 - 10:18 PM

Hi Shannon,

I ran the OTL fix as mentioned and the report is shown below


========== OTL ==========
HKU\S-1-5-21-1844237615-839522115-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
C:\WINDOWS\tasks\Guqhkpjs.job moved successfully.
C:\WINDOWS\tasks\Atpltn.job moved successfully.
C:\WINDOWS\Lvome.bin moved successfully.

OTL by OldTimer - Version 3.2.22.3 log created on 03102011_181154


Removed all old Java environment and installed new JRE and the JDK environment JDK 6 update 24

I have a question. I have the windows default firewall, is that enough? or do I need to get another firewall ?

Thanks

David

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:54 PM

Posted 11 March 2011 - 03:10 PM

Hi

I have the windows default firewall, is that enough? or do I need to get another firewall ?

No, that should be enough especially if you are going thru a router, since most routers now have a built-in firewall.

We need to see if we have cleaned up all the problems-

First, update and run Malwarebytes' Anti-Malware.

Next, I'd like for you to scan your machine with ESET OnlineScan
  • Hold down Control key and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip the next two steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

In your reply, please copy in the MBAM report and the ESET OnlineScan report (if you get one). Let me know how the computer is doing.
Shannon

#11 cad4567

cad4567
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 13 March 2011 - 10:09 AM

Hi Shannon,

Both the scan took more than 18 hours so I was unable to inform the status. MBAM reported after 7 hours that there was no threats. As mentioned in your last post, I downloaded ESET and ran the scan. The first time at around 99% the scanner was displaying 7 threats and I wrote down the threat list in case of any untoward incident. The threat lists are as follows:
1) Win32/Adware.AntimalwareDoctor.AE.GemApplication
2) Win32/Kryptik.KKDTrojan
3) Win32/Kryptik.LIRTrojan
4) Win32/Adware.AntimalwareDoctor.AE.GemApplication
5) Win32/Adware.AntimalwareDoctor.AE.GemApplication
6) Multiple threats
7) Multiple threats
As mentioned, at around 99%, when it was scanning the windows directory, the system just went down. Unfortunately, I was not looking at the screen. The system didn't reboot itself. I had to re-start the computer. I was not sure what transpired so I ran once again ESET last night and this time it returned "No threats detected". Did the system remove the threats? Does these virus exist on my machine? I will wait for your next course of action. Below is the MBAM report .

=================MBAM Report =======================

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6032

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/12/2011 7:42:16 AM
mbam-log-2011-03-12 (07-42-16).txt

Scan type: Full scan (C:\|)
Objects scanned: 258687
Time elapsed: 6 hour(s), 57 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:54 PM

Posted 14 March 2011 - 08:36 AM

David-

I suspect that ESET OnlineScan deleted all the ComboFix quarantined files. How is your computer running now?
Shannon

#13 cad4567

cad4567
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 14 March 2011 - 10:45 AM

Hi Shannon,

I don't think ESET deleted the combofix files. I am assuming that you are talking about the files in the Qoobox directory; the files are still present. I ran once again ESET overnight and it showed "no threats." I ran for 61% and then stopped the AV check. One of the noticeable fact on my computer is that it is slow. I am going to run Disk Defragmenter, one of the possible reasons for slowing my computer, which I noticed earlier. Is there any way of speeding up?

Thanks,

David

#14 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:54 PM

Posted 14 March 2011 - 12:26 PM

Hi, David -

I thought we were about done, but it doesn't sound like it. .

First, please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.7.0) from Kaspersky's website.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Next, if you still have the ComboFix.exe installed, please delete it, and download a fresh copy of Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Then, please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.
In your reply, copy in the contents of the TDSSKiller, ComboFix, and MBRCheck reports.
Shannon

#15 cad4567

cad4567
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 14 March 2011 - 02:26 PM

Hi Shannon,

I ran TDSSKiller (version available was 2.4.21), Combofix and MBRCheck. The reports are shown below.

A question, is there a possibility that a virus is lurking and hidden within a file but unable to detect? just curious.

Thanks

David

========================TDSSKiller==========================

2011/03/14 11:29:53.0678 4052 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/14 11:29:54.0029 4052 ================================================================================
2011/03/14 11:29:54.0029 4052 SystemInfo:
2011/03/14 11:29:54.0029 4052
2011/03/14 11:29:54.0029 4052 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/14 11:29:54.0029 4052 Product type: Workstation
2011/03/14 11:29:54.0029 4052 ComputerName: TRIDENT
2011/03/14 11:29:54.0029 4052 UserName: Administrator
2011/03/14 11:29:54.0029 4052 Windows directory: C:\WINDOWS
2011/03/14 11:29:54.0029 4052 System windows directory: C:\WINDOWS
2011/03/14 11:29:54.0029 4052 Processor architecture: Intel x86
2011/03/14 11:29:54.0029 4052 Number of processors: 1
2011/03/14 11:29:54.0029 4052 Page size: 0x1000
2011/03/14 11:29:54.0029 4052 Boot type: Normal boot
2011/03/14 11:29:54.0029 4052 ================================================================================
2011/03/14 11:29:54.0449 4052 Initialize success
2011/03/14 11:30:01.0129 3856 ================================================================================
2011/03/14 11:30:01.0129 3856 Scan started
2011/03/14 11:30:01.0129 3856 Mode: Manual;
2011/03/14 11:30:01.0129 3856 ================================================================================
2011/03/14 11:30:03.0893 3856 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/14 11:30:04.0263 3856 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/14 11:30:05.0095 3856 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/14 11:30:05.0555 3856 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/14 11:30:09.0110 3856 ASPI (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\System32\DRIVERS\ASPI32.sys
2011/03/14 11:30:09.0441 3856 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/14 11:30:09.0892 3856 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/14 11:30:11.0163 3856 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/14 11:30:11.0854 3856 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/14 11:30:12.0255 3856 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/14 11:30:12.0605 3856 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/14 11:30:13.0286 3856 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/14 11:30:14.0108 3856 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/14 11:30:14.0919 3856 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/14 11:30:15.0329 3856 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/14 11:30:16.0681 3856 cmpci (e5842ccf0953d3d46d5e26427b67e901) C:\WINDOWS\system32\drivers\cmaudio.sys
2011/03/14 11:30:18.0314 3856 DC21x4 (bb005cb49d0638039703ac4f67fe0a05) C:\WINDOWS\system32\DRIVERS\dc21x4.sys
2011/03/14 11:30:18.0784 3856 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/14 11:30:19.0395 3856 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/14 11:30:20.0026 3856 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/14 11:30:20.0377 3856 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/14 11:30:20.0737 3856 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/14 11:30:21.0448 3856 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/14 11:30:22.0009 3856 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/14 11:30:22.0420 3856 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/14 11:30:22.0780 3856 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/14 11:30:23.0101 3856 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/14 11:30:23.0491 3856 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/14 11:30:23.0882 3856 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/14 11:30:24.0242 3856 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/14 11:30:24.0563 3856 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/03/14 11:30:24.0953 3856 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/14 11:30:25.0414 3856 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/14 11:30:26.0235 3856 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/14 11:30:27.0267 3856 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/14 11:30:27.0657 3856 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/03/14 11:30:28.0148 3856 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/03/14 11:30:28.0458 3856 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/03/14 11:30:28.0769 3856 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/03/14 11:30:29.0129 3856 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/03/14 11:30:29.0490 3856 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/03/14 11:30:29.0800 3856 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2011/03/14 11:30:30.0161 3856 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2011/03/14 11:30:30.0471 3856 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2011/03/14 11:30:30.0782 3856 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/03/14 11:30:31.0162 3856 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/03/14 11:30:31.0493 3856 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/03/14 11:30:31.0803 3856 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/03/14 11:30:32.0164 3856 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2011/03/14 11:30:32.0484 3856 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2011/03/14 11:30:32.0905 3856 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/14 11:30:33.0616 3856 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/14 11:30:33.0916 3856 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/14 11:30:34.0277 3856 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/14 11:30:34.0587 3856 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/14 11:30:34.0938 3856 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/14 11:30:35.0338 3856 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/14 11:30:35.0669 3856 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/14 11:30:36.0039 3856 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/14 11:30:36.0400 3856 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/14 11:30:36.0810 3856 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/14 11:30:37.0181 3856 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/14 11:30:38.0192 3856 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/14 11:30:38.0553 3856 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/14 11:30:38.0873 3856 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/14 11:30:39.0254 3856 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/14 11:30:39.0574 3856 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/14 11:30:40.0315 3856 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/14 11:30:40.0806 3856 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/14 11:30:41.0477 3856 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/14 11:30:41.0817 3856 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/14 11:30:42.0138 3856 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/14 11:30:42.0508 3856 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/14 11:30:42.0819 3856 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/14 11:30:43.0209 3856 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/14 11:30:43.0580 3856 NAVAPEL (a4d2f4f1f61538d6f9b54b18e9b8e035) C:\Program Files\NavNT\NAVAPEL.SYS
2011/03/14 11:30:43.0961 3856 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/14 11:30:44.0421 3856 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/14 11:30:44.0722 3856 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/14 11:30:45.0062 3856 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/14 11:30:45.0423 3856 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/14 11:30:45.0783 3856 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/14 11:30:46.0104 3856 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/14 11:30:46.0755 3856 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/14 11:30:47.0345 3856 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/14 11:30:48.0097 3856 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/14 11:30:48.0467 3856 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/14 11:30:48.0818 3856 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/14 11:30:49.0148 3856 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/03/14 11:30:49.0509 3856 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/14 11:30:49.0859 3856 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/14 11:30:50.0300 3856 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/14 11:30:50.0600 3856 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/14 11:30:51.0742 3856 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/14 11:30:54.0105 3856 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/14 11:30:54.0616 3856 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/14 11:30:54.0976 3856 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/14 11:30:55.0367 3856 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/14 11:30:57.0059 3856 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/14 11:30:57.0470 3856 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/14 11:30:57.0881 3856 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/14 11:30:58.0211 3856 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/14 11:30:58.0592 3856 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/14 11:30:58.0942 3856 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/14 11:30:59.0403 3856 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/14 11:30:59.0833 3856 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/14 11:31:00.0244 3856 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/14 11:31:00.0815 3856 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/03/14 11:31:01.0075 3856 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2011/03/14 11:31:01.0316 3856 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2011/03/14 11:31:01.0916 3856 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/14 11:31:02.0317 3856 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/14 11:31:02.0748 3856 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/14 11:31:03.0208 3856 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/14 11:31:04.0330 3856 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/14 11:31:04.0750 3856 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/14 11:31:05.0251 3856 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/14 11:31:05.0832 3856 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/14 11:31:06.0162 3856 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/14 11:31:07.0114 3856 SymEvent (0944328114c35b90d3b7ec8b57eebf97) C:\Program Files\Symantec\SYMEVENT.SYS
2011/03/14 11:31:08.0045 3856 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/14 11:31:08.0596 3856 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/14 11:31:09.0087 3856 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/14 11:31:09.0417 3856 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/14 11:31:09.0738 3856 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/14 11:31:10.0559 3856 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/14 11:31:11.0320 3856 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/14 11:31:11.0911 3856 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/14 11:31:12.0241 3856 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/14 11:31:12.0632 3856 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/14 11:31:12.0972 3856 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/14 11:31:13.0293 3856 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/14 11:31:13.0964 3856 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/14 11:31:14.0494 3856 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/14 11:31:15.0105 3856 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/14 11:31:15.0977 3856 wsvad_driver (7b92708a738b36a42a5e242e2e857aae) C:\WINDOWS\system32\drivers\CapAudio.sys
2011/03/14 11:31:16.0407 3856 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/14 11:31:16.0858 3856 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/14 11:31:17.0569 3856 ================================================================================
2011/03/14 11:31:17.0569 3856 Scan finished
2011/03/14 11:31:17.0569 3856 ================================================================================


============================ComboFix Report =========================


ComboFix 11-03-13.02 - Administrator 03/14/2011 11:46:09.3.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-12 16:20 . 2011-03-12 16:20 -------- d-----w- c:\program files\ESET
2011-03-12 00:20 . 2011-03-12 04:39 -------- d-----w- C:\InsertShoe
2011-03-11 02:54 . 2011-03-11 02:54 -------- d-----w- c:\program files\Common Files\Java
2011-03-11 02:53 . 2011-03-11 02:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-11 02:53 . 2011-03-11 02:51 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-11 02:53 . 2011-03-11 02:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-11 02:51 . 2011-03-11 02:58 -------- d-----w- c:\program files\Java
2011-03-11 02:11 . 2011-03-11 02:11 -------- d-----w- C:\_OTL
2011-03-08 05:47 . 2011-03-08 05:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Nymgo4.0
2011-03-04 19:16 . 2011-03-04 19:57 -------- d-----w- C:\MicrosoftProject
2011-03-02 20:23 . 2011-03-02 20:23 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-03-02 19:51 . 2011-03-02 19:51 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-03-02 19:51 . 2011-03-02 19:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-03 22:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-19 16:06 . 2011-01-19 16:06 1893138 ----a-w- C:\DotNetProjects.zip
2011-01-07 14:09 . 2004-08-03 22:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-03 21:17 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-03 22:56 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-21 02:09 . 2009-08-23 18:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 02:08 . 2009-08-23 18:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 23:59 . 2004-08-03 22:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-03 22:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2004-08-03 22:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 17:26 . 2004-08-03 22:56 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-03 20:59 385024 ----a-w- c:\windows\system32\html.iec
1998-12-09 10:53 . 1998-12-09 10:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 10:53 . 1998-12-09 10:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 10:53 . 1998-12-09 10:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 10:53 . 1998-12-09 10:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 10:53 . 1998-12-09 10:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 10:53 . 1998-12-09 10:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-31 3399727]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-01 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-14 39408]
"MP4 Player"="c:\program files\MP4 Player\mp4Player.exe" [2007-09-17 639488]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-26 2423752]
"NymgoInstallerPath"="c:\program files\Nymgo4.0\Nymgo.exe" [2011-03-01 2215424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-06-21 57344]
"C-Media Mixer"="Mixer.exe" [2002-10-16 1818624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-06 19:55 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^YouTring.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\YouTring.lnk
backup=c:\windows\pss\YouTring.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\eclipse\\eclipse.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Dial91\\Dial91.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Cisco Packet Tracer 5.3.1\\bin\\PacketTracer5.exe"=
"c:\\NetBeans\\NetBeans 6.9.1\\bin\\netbeans.exe"=
"c:\\Program Files\\Nymgo4.0\\Nymgo.exe"=
"c:\\Studying in Canada\\KU\\StudyBook\\Second Semester\\Distributed Systems 3210 - Xing Lui\\DotNet Project\\Code\\RServer\\bin\\Debug\\RServer.vshost.exe"=
"c:\\Studying in Canada\\KU\\StudyBook\\Second Semester\\Distributed Systems 3210 - Xing Lui\\DotNet Project\\FirstDotNetCode\\Server\\ConsoleApplication1\\ConsoleApplication1\\bin\\Release\\ConsoleApplication1.exe"=
"c:\\DotNetProjects\\Second Deliverable\\Server\\Server\\bin\\Debug\\Server.vshost.exe"=
"c:\\DotNetProjects\\Second Deliverable\\SimpleConsoleBased\\Server\\Server\\bin\\Debug\\Server.vshost.exe"=
"c:\\DotNetProjects\\Third Deliverable\\Server\\Server\\bin\\Debug\\Server.vshost.exe"=
"c:\\DotNetProjects\\Third Deliverable\\SimpleConsoleBased\\Server\\Server\\bin\\Debug\\Server.vshost.exe"=
"c:\\DotNetProjects\\FourthDeliverable\\Server\\Server\\bin\\Debug\\Server.vshost.exe"=
"c:\\DotNetProjects\\FourthDeliverable\\Asynchronous\\server\\server\\bin\\Debug\\server.vshost.exe"=
"c:\\DotNetProjects\\FourthDeliverable\\OneWayCall\\Server\\Server\\bin\\Debug\\Server.vshost.exe"=
"c:\\DotNetProjects\\FourthDeliverable\\MultiServer\\Server\\Server\\bin\\Debug\\Server.vshost.exe"=
"c:\\DotNetProjects\\FourthDeliverable\\MultiServer\\Server1\\Server1\\bin\\Debug\\Server1.vshost.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_24\\bin\\java.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 4:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/25/2009 8:33 PM 88176]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2/14/2009 5:08 PM 16512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 12872]
S3 wsvad_driver;iEffectsoft Audio;c:\windows\system32\drivers\CapAudio.sys [2/14/2009 4:57 PM 20480]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-839522115-1708537768-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-01 06:04]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-839522115-1708537768-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-01 06:04]
.
2011-03-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-24 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jaywz1aj.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {B1714ED9-3D8D-457B-AABE-06B298923E05} - c:\documents and settings\Administrator\Local Settings\Application Data\{B1714ED9-3D8D-457B-AABE-06B298923E05}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 11:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.5\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1844237615-839522115-1708537768-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,6b,dc,ad,4b,31,c7,41,94,49,de,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,6b,dc,ad,4b,31,c7,41,94,49,de,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(512)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\NavLogon.dll
.
- - - - - - - > 'explorer.exe'(992)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-14 12:06:22
ComboFix-quarantined-files.txt 2011-03-14 19:06
ComboFix2.txt 2011-03-03 04:21
ComboFix3.txt 2009-08-23 15:27
.
Pre-Run: 2,283,077,632 bytes free
Post-Run: 2,278,772,736 bytes free
.
- - End Of File - - 45B5B4C1163305DB2BC06A8D24CF56A4

============================MBRCheck Report ========================

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 113):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF8A37000 \WINDOWS\system32\KDCOM.DLL
0xF8947000 \WINDOWS\system32\BOOTVID.dll
0xF84E8000 ACPI.sys
0xF8A39000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF84D7000 pci.sys
0xF8537000 isapnp.sys
0xF8A3B000 intelide.sys
0xF87B7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8547000 MountMgr.sys
0xF84B8000 ftdisk.sys
0xF8A3D000 dmload.sys
0xF8492000 dmio.sys
0xF87BF000 PartMgr.sys
0xF8557000 VolSnap.sys
0xF847A000 atapi.sys
0xF8567000 disk.sys
0xF8577000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF845A000 fltmgr.sys
0xF8448000 sr.sys
0xF8587000 PxHelp20.sys
0xF8431000 KSecDD.sys
0xF83A4000 Ntfs.sys
0xF8377000 NDIS.sys
0xF835D000 Mup.sys
0xF8627000 \SystemRoot\system32\DRIVERS\p3.sys
0xF7F0A000 \SystemRoot\system32\DRIVERS\i81xnt5.sys
0xF7EF6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7E99000 \SystemRoot\system32\drivers\cmaudio.sys
0xF7E75000 \SystemRoot\system32\drivers\portcls.sys
0xF8637000 \SystemRoot\system32\drivers\drmk.sys
0xF7E52000 \SystemRoot\system32\drivers\ks.sys
0xF8647000 \SystemRoot\system32\DRIVERS\dc21x4.sys
0xF885F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7E3E000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8657000 \SystemRoot\system32\DRIVERS\serial.sys
0xF89C3000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF8667000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF8867000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8677000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8687000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF886F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7E1A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8B2D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8697000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF89CB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7E03000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF86A7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF86C7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8877000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7DF2000 \SystemRoot\system32\DRIVERS\psched.sys
0xF86D7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF887F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8887000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7DA4000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF86F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF888F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8A71000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7D2E000 \SystemRoot\system32\DRIVERS\update.sys
0xF89E3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7FC2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8A77000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7FB2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF81EC000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF8937000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8A81000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C57000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A83000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8847000 \SystemRoot\System32\drivers\vga.sys
0xF8A85000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A87000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8837000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF880F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8A2F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF3830000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF37D7000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF37AF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF378D000 \SystemRoot\System32\drivers\afd.sys
0xF3C66000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF376B000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF8807000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF36F0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3658000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF3C46000 \SystemRoot\System32\Drivers\Fips.SYS
0xF3617000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF332E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF36D4000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF235A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF1E5C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF36C8000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF1CD2000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEC32C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8AA1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEC9E9000 \SystemRoot\System32\drivers\Dxapi.sys
0xED306000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B00000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\i81xdnt5.dll
0xBF0BE000 \SystemRoot\System32\ATMFD.DLL
0xEE34C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBA7B3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA79E000 \SystemRoot\system32\drivers\wdmaud.sys
0xF39D0000 \SystemRoot\system32\drivers\sysaudio.sys
0xF8A5D000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA5EF000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA56F000 \SystemRoot\system32\DRIVERS\srv.sys
0xF8ACF000 \??\C:\Program Files\NavNT\NAVAPEL.SYS
0xBF105000 \SystemRoot\System32\spool\DRIVERS\W32X86\2\olfdnt40.dll
0xED055000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xEC43D000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
436 C:\WINDOWS\system32\smss.exe
488 csrss.exe
512 C:\WINDOWS\system32\winlogon.exe
556 C:\WINDOWS\system32\services.exe
568 C:\WINDOWS\system32\lsass.exe
728 C:\WINDOWS\system32\svchost.exe
788 svchost.exe
852 C:\WINDOWS\system32\svchost.exe
940 svchost.exe
1008 svchost.exe
1136 C:\WINDOWS\system32\spoolsv.exe
1252 svchost.exe
1516 C:\Program Files\NavNT\defwatch.exe
1584 C:\Program Files\Java\jre6\bin\jqs.exe
1608 C:\PROGRA~1\McAfee\SITEAD~1\McSACore.exe
1668 C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe
1732 C:\Program Files\NavNT\rtvscan.exe
832 C:\Program Files\NavNT\vptray.exe
876 C:\WINDOWS\system32\MSGSYS.EXE
912 C:\WINDOWS\mixer.exe
784 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
604 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1268 C:\Program Files\Free Download Manager\fdm.exe
1320 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
1336 C:\Program Files\MP4 Player\Mp4Player.exe
1640 C:\WINDOWS\system32\ctfmon.exe
1756 C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
2280 C:\WINDOWS\system32\rundll32.exe
2384 alg.exe
1488 C:\Program Files\Java\jdk1.6.0_24\bin\java.exe
3612 C:\WINDOWS\system32\wuauclt.exe
992 C:\WINDOWS\explorer.exe
1036 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3268 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
148 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2928 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3400 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3372 C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2252 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: Maxtor2B020H1, Rev: WAH21PB0

Size Device Name MBR Status
--------------------------------------------
19 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users