Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Virus found


  • This topic is locked This topic is locked
27 replies to this topic

#1 infinite12

infinite12

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2011 - 09:45 AM

Good day everyone,

I have a Toshiba laptop with Win xp pro sp2 installed and I have done numerous scans with Malewarebytes, superantispyware, eset online scan. I have come up with this in each scan: Win32/Adware.Virtumonde.NEO application. I have run the scans again after the quarantine and removal and it still appears in the eset online scan.

I have tried to run Combofix but it freezes each time I run it. I am not touching anything on the computer when it is running.

I have read lots of different sites on how to remove, but no luck YET.

Could someone please assist me in getting this frustration off my computer. My browsers were hijacked, but since running these scans, I have been able to get back on the browser. I typically use chrome and firefox.

Thanks for your time in reading this, again any help is appreciated.

Edited by hamluis, 15 March 2011 - 11:20 AM.
Moved from XP forum to Am I Infected.


BC AdBot (Login to Remove)

 


#2 OzonedMan

OzonedMan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2011 - 11:51 AM

First the caveat: Running tools such as Combofix (and the others I mention) without fully understanding how they work can make a bigger mess than you have now.
The freezing of Combofix may be due to the malware, changing the name of the file before you run it sometimes works.

This is assuming you are familiar with unzipping files and unchecking all the extra crap when installing some freeware.
Have you run any of the removal tools in safe mode? If not, do so, the trojans many times don't start and cannot give you problems.
Have you run a cleaner such as Ccleaner or PureRa ? This gets rid of all the temp files the trojans and viruses use to regenerate.
Have you run TDSSkiller (from Kaspersky)to be sure any rootkits are removed?
Then run Combofix in safe mode, followed by MalwareBytes.
Get the SP3 update and install it when the cleaning is done.

#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:03:10 PM

Posted 15 March 2011 - 12:06 PM

@OzonedMan,

Please be sure to read this topic here: http://www.bleepingcomputer.com/forums/topic383782.html

Snippet from that link:

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in all other areas of the forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.

  • ComboFix instructions or discussion.


I realize your intentions maybe good, but we don't allow the discussion of tools like TDSSKiller and ComboFix in every forum. Instructions and discussions of those tools are only allowed in the Malware Removal forum, and only allowed to be given by a trained malware helper.

@infinite12,

Please post the contents of the ESET Online Scanner, SuperAntiSpyware, and MalwareBytes' Anti-Malware logs.

Edited by SweetTech, 15 March 2011 - 12:09 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#4 OzonedMan

OzonedMan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2011 - 12:20 PM

Correction is accepted, I overstepped.
I use these tools daily, and tend to forget the possible results if done incorrectly. :oopsign:

#5 infinite12

infinite12
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2011 - 12:21 PM

Ok,

Thanks for the prompt replies!!

Malwarebytes does not show a log when I first ran and found the virus.

Here is the Eset online scan log.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
# version=7
# iexplore.exe=7.00.6000.16945 (vista_gdr.091027-0049)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=ccbeb283c1d22f4385c7570ad7c847f7
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-15 03:24:44
# local_time=2011-03-14 11:24:44 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1797 16774105 100 100 37927464 75649964 0 0
# compatibility_mode=8192 67108863 100 0 27143811 27143811 0 0
# scanned=74717
# found=1
# cleaned=1
# scan_time=7148
C:\WINDOWS\system32\ututv.bak1 Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


The other scans did not produce a log.. Looked everywhere.

Hope this helps.

Thanks,

M

#6 infinite12

infinite12
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2011 - 12:28 PM

Also, @ OzonedMan

Thanks for the reply.

I did perform the scans in both safe-mode and normal mode. Some scans would not run in safe for some reason. Ran in normal then again in safe..

I have used Ccleaner as well. Use regularly on most of my computers. Have not run TDSSkiller. Will wait to hear from one of the Staff members before using according to their guidelines.

Thanks for your help.

#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:03:10 PM

Posted 15 March 2011 - 12:29 PM

You can locate the MBAM log by following these directions:

Make sure you find the log file where it showed the infection being removed.

Malwarebytes' Anti-Malware

  • Open Malwarebytes' Anti-Malware
  • Select the Logs tab
  • Click on the latest log. The bottom most log is the latest
  • Click Open
  • Notepad will open. Please post this log in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 infinite12

infinite12
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2011 - 12:37 PM

@SweetTech

I run malewarebytes at least 5 times and this is the only log file that shows. Note no virus located on March 13th but the eset was ran on the 14th and found it.

Malwarebytes log:


Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

3/13/2011 10:25:37 PM
mbam-log-2011-03-13 (22-25-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 57808
Time elapsed: 12 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hope this helps,

M

#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:03:10 PM

Posted 15 March 2011 - 12:40 PM

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

This would be why nothing is being found.

You're using a program version of MBAM that is 14 versions out of date.

Your also using a database version that is about 4500 versions out of date.

We need to update it to the latest version:

The latest version is 1.50.1.1100 and latest database version as of posting this is 6058


Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



Please let me know what issues your still experiencing with your computer in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#10 infinite12

infinite12
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2011 - 01:05 PM

Malwarebytes Most Current Scan Log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/15/2011 2:00:05 PM
mbam-log-2011-03-15 (14-00-05).txt

Scan type: Quick scan
Objects scanned: 123753
Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


rebooted then after the scan the computer is still very slow and sluggish. It takes chrome about 1-2 minutes to come up. This was not the case prior to the virus. I will install sp3 once I am sure the virus is gone.

Any further things I should do??

Thanks!!!

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:03:10 PM

Posted 15 March 2011 - 01:07 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

It's still outdated. Please check for updates until you get to the latest program and database version.

Let me grab some additional scans from you as well.

This thread will be moved to the Malware forum shortly.


Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 infinite12

infinite12
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2011 - 01:36 PM

Most current Malwarebytes after updating.

LOG:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6067

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/15/2011 2:23:12 PM
mbam-log-2011-03-15 (14-23-12).txt

Scan type: Quick scan
Objects scanned: 150265
Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


RootKit UnHooker log


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2252800 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2252800 bytes
0x804D7000 RAW 2252800 bytes
0x804D7000 WMIxWDM 2252800 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF684D000 C:\WINDOWS\System32\DRIVERS\AGRSM.sys 1265664 bytes (Agere Systems, SoftModem Device Driver)
0xBF083000 C:\WINDOWS\System32\ati3d2ag.dll 1060864 bytes (ATI Technologies Inc. , ati3d2ag.dll)
0xF6B79000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 839680 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF6A04000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 602112 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xF75DD000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF0468000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6982000 C:\WINDOWS\system32\drivers\ALCXSENS.SYS 393216 bytes (Sensaura Ltd, Sensaura WDM 3D Audio Driver)
0xF6A97000 C:\WINDOWS\System32\DRIVERS\ar5211.sys 393216 bytes (Atheros Communications, Inc., Driver for Atheros AR5001 Wireless Network Adapter)
0xF6777000 C:\WINDOWS\System32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)
0xF0595000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEFE19000 C:\WINDOWS\System32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xEF460000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 237568 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF75B0000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF67D0000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 184320 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7740000 ACPI.sys 180224 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEFFB0000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xEF22A000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF04D7000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF054C000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF76DE000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF0502000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF69E2000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6B43000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 139264 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF0574000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0xF76A8000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF6B23000 C:\WINDOWS\System32\DRIVERS\ks.sys 131072 bytes (Microsoft Corporation, Kernel CSA Library)
0x806FD000 ACPI_HAL 130688 bytes
0x806FD000 C:\WINDOWS\system32\hal.dll 130688 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7704000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7723000 pcmcia.sys 118784 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF044C000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 114688 bytes (Avira GmbH, Avira Driver for RootKit Detection)
0xF7595000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF6B0A000 C:\WINDOWS\System32\DRIVERS\Apfiltr.sys 102400 bytes (Alps Electric Co., Ltd., Alps Pointing-device Driver)
0xF028B000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF0272000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF766A000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF0611000 C:\WINDOWS\System32\Drivers\meiudf.sys 94208 bytes (Matsubleepa Electric Industrial Co.,Ltd., DVD-RAM UDF File System Driver)
0xF6836000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF76C8000 atapi.sys 90112 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF0436000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 90112 bytes
0xF016C000 C:\WINDOWS\System32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xF02A4000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7681000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xEFA44000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF02E2000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 81920 bytes (Avira GmbH, Avira Minifilter Driver)
0xF6B65000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF05ED000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF6AF7000 C:\WINDOWS\System32\DRIVERS\parport.sys 77824 bytes (Microsoft Corporation, Parallel Port Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7696000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF6825000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF0600000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF778D000 pci.sys 65536 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6C76000 C:\WINDOWS\System32\DRIVERS\Rtlnic51.sys 65536 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xF6C66000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF782D000 C:\WINDOWS\System32\DRIVERS\nic1394.sys 61440 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF6CA6000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF77FD000 ohci1394.sys 57344 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF039E000 C:\WINDOWS\system32\drivers\sysaudio.sys 57344 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF780D000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF6CB6000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF77DD000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF6C96000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF6C56000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF795D000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 53248 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF77BD000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF78DD000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF6CC6000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF77AD000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF6C46000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF0698000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF791D000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF77ED000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF78FD000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF799D000 C:\WINDOWS\system32\DRIVERS\1UnHooker.sys 36864 bytes
0xF77CD000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF79FD000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF6CD6000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF779D000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF78ED000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF79CD000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEF1CA000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF798D000 C:\WINDOWS\system32\rserver30\raddrvv3.sys 36864 bytes (Famatech International Corp., Radmin Server support driver)
0xF6C86000 C:\WINDOWS\System32\DRIVERS\smcirda.sys 36864 bytes (SMC, SMC IrCC NDIS 5.0 IrDA FIR Device Driver)
0xF0678000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xF79AD000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7B25000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7B95000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7B55000 C:\WINDOWS\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0xF7A65000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7B0D000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7B15000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7B1D000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7A0D000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 24576 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7A45000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xF7B75000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF7B7D000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7B4D000 C:\WINDOWS\System32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xF7B8D000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7A15000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7B3D000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7B2D000 C:\WINDOWS\System32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF7B45000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7A25000 C:\WINDOWS\System32\Drivers\tcpipBM.SYS 20480 bytes (Bytemobile, Inc., Bytemobile Kernel Network Provider)
0xF7B35000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7A5D000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xEF561000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF7BAD000 atisgkaf.sys 16384 bytes (ATI Technologies Inc., ATI AGP GART Driver)
0xF7BA5000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7571000 C:\WINDOWS\System32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF7C7D000 C:\WINDOWS\System32\Drivers\DKbFltr.sys 16384 bytes (Dritek System Inc., Dritek PS2 Keyboard Filter Driver)
0xF02FA000 C:\WINDOWS\System32\DRIVERS\mdc8021x.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF7C31000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF02DE000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF035E000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7C75000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 16384 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF7BA9000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7B9D000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7BA1000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF6815000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7C85000 C:\WINDOWS\System32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xF7561000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF02D6000 C:\WINDOWS\System32\DRIVERS\netdevio.sys 12288 bytes (TOSHIBA Corporation., Network Device Usermode I/O protocol)
0xF7C3D000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7C55000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7D2D000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager)
0xF7CD7000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xF7CC5000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7C91000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7CD9000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7CD3000 C:\WINDOWS\System32\Drivers\ECioctl.sys 8192 bytes (TOSHIBA , Embedded Controller IO Method)
0xF7CD1000 C:\WINDOWS\System32\Drivers\EKIoMngr.sys 8192 bytes (COMPAL ELECTRONIC INC., IoManager Application)
0xF7CCF000 C:\WINDOWS\System32\Drivers\EPIoMngr.sys 8192 bytes (COMPAL ELECTRONIC INC., IoManager Application)
0xF7CC3000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7CB5000 C:\WINDOWS\System32\Drivers\hkdrv.sys 8192 bytes (Compal Electronic Inc., E-POWER)
0xF7C8D000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7CC7000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7D2B000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7CC9000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7CB9000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xF7CB7000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7CCD000 C:\WINDOWS\System32\Drivers\SSIoMngr.sys 8192 bytes (COMPAL ELECTRONIC INC., IoManager Application)
0xF7CE1000 C:\WINDOWS\System32\drivers\TBiosDrv.sys 8192 bytes
0xF7CE3000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7CCB000 C:\WINDOWS\System32\Drivers\TPIoMngr.sys 8192 bytes (COMPAL ELECTRONIC INC., IoManager Application)
0xF7CBD000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7C8F000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7EB8000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7E5C000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 4096 bytes (Sonic Solutions, CDR4 CD and DVD Place Holder Driver (see PxHelp))
0xF7E5D000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 4096 bytes (Sonic Solutions, CDRAL Place Holder Driver (see PxHelp))
0xF7EA2000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7E5E000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7D56000 C:\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7D55000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7EB7000 C:\WINDOWS\system32\DRIVERS\rminiv3.sys 4096 bytes (Famatech International Corp., Radmin Mirror Miniport Driver V3)
0xF7EBD000 C:\WINDOWS\System32\DRIVERS\swenum.sys 4096 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7D6A000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7D68000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
==============================================
>Stealth
==============================================
0x009D0000 Hidden Image-->CFScan.dll [ EPROCESS 0x84AAF600 ] PID: 280, 45056 bytes


OTL.txt

OTL logfile created on: 3/15/2011 2:31:42 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\michael\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 170.00 Mb Available Physical Memory | 38.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 59.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 38.50 Gb Free Space | 68.88% Space Free | Partition Type: NTFS

Computer Name: ACE | User Name: michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/15 14:18:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\michael\My Documents\Downloads\OTL.exe
PRC - [2011/03/11 02:50:03 | 001,004,088 | ---- | M] (Google Inc.) -- C:\Documents and Settings\michael\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/12/09 16:01:22 | 000,024,576 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/05/23 17:54:38 | 000,118,784 | ---- | M] (Bytemobile, Inc.) -- C:\WINDOWS\system32\bmwebcfg.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/02/14 15:27:34 | 003,497,984 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
PRC - [2004/05/20 13:21:10 | 000,135,168 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\Toshiba\Power Management\CePMTray.exe
PRC - [2004/05/14 13:29:50 | 000,712,704 | ---- | M] (Dritek System Inc.) -- C:\Program Files\EzButton\EzButton.EXE
PRC - [2004/05/13 17:46:02 | 000,053,248 | ---- | M] () -- c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
PRC - [2004/05/06 16:12:40 | 000,638,976 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\Toshiba\E-KEY\CeEKey.exe
PRC - [2004/04/09 20:54:44 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2004/03/15 14:17:54 | 000,053,248 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\Toshiba\TouchPad\TPTray.exe
PRC - [2004/03/04 19:41:08 | 000,028,672 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2004/02/03 17:47:06 | 001,089,589 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\Touch and Launch\PadExe.exe
PRC - [2004/01/08 12:50:28 | 000,036,973 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
PRC - [2003/09/05 06:24:46 | 000,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PRC - [2003/08/06 19:58:26 | 001,376,360 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe
PRC - [2003/05/23 16:38:26 | 000,106,496 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
PRC - [2003/03/14 14:38:12 | 000,155,648 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe
PRC - [2003/01/10 20:13:04 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2001/09/10 19:08:50 | 000,032,256 | ---- | M] (C-Dilla Ltd) -- C:\WINDOWS\system32\drivers\CDANTSRV.EXE


========== Modules (SafeList) ==========

MOD - [2011/03/15 14:18:00 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\michael\My Documents\Downloads\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2009/08/07 12:43:04 | 000,045,816 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/12/09 16:01:22 | 000,024,576 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/11/18 16:45:28 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/05/23 18:01:54 | 000,106,496 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe -- (ATTRcAppSvc)
SRV - [2008/05/23 17:54:38 | 000,118,784 | ---- | M] (Bytemobile, Inc.) [Auto | Running] -- C:\WINDOWS\System32\bmwebcfg.exe -- (bmwebcfg)
SRV - [2007/06/29 06:07:22 | 001,242,432 | ---- | M] (Famatech International Corp.) [On_Demand | Stopped] -- C:\WINDOWS\System32\rserver30\RServer3.exe -- (RServer3)
SRV - [2007/02/14 13:43:44 | 000,852,984 | ---- | M] (RealVNC Ltd.) [Auto | Stopped] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2005/02/14 15:27:34 | 003,497,984 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe -- (MySQL)
SRV - [2004/05/13 17:46:02 | 000,053,248 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2004/04/09 20:54:44 | 000,020,480 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2004/03/04 19:41:08 | 000,028,672 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/01/08 12:50:28 | 000,036,973 | ---- | M] (COMPAL ELECTRONIC INC.) [Auto | Running] -- C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe -- (CeEPwrSvc)
SRV - [2003/08/06 19:58:26 | 001,376,360 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS)
SRV - [2003/05/23 16:38:26 | 000,106,496 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2003/03/09 22:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/01/10 20:13:04 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2001/09/10 19:08:50 | 000,032,256 | ---- | M] (C-Dilla Ltd) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDANTSRV.EXE -- (C-DillaSrv)


========== Driver Services (SafeList) ==========

DRV - [2011/03/14 21:45:57 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/03/02 22:15:52 | 000,022,016 | ---- | M] () [File_System | System | Running] -- C:\WINDOWS\system32\drivers\1UnHooker.sys -- (1UnHooker)
DRV - [2009/05/11 10:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 10:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 12:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/01/03 12:19:38 | 000,026,504 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/05/23 17:54:38 | 000,018,816 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2008/05/23 17:52:54 | 000,032,160 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2008/05/23 17:52:54 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2008/01/10 17:59:44 | 000,142,976 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swumx80.sys -- (SWUMX80) Sierra Wireless USB MUX Driver (UMTS80)
DRV - [2008/01/10 17:58:48 | 000,165,248 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swnc8u80.sys -- (SWNC8U80) Sierra Wireless MUX NDIS Driver (UMTS80)
DRV - [2007/06/29 04:10:46 | 000,040,640 | ---- | M] (Famatech International Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\rserver30\raddrvv3.sys -- (raddrvv3)
DRV - [2006/11/01 06:01:56 | 000,003,328 | ---- | M] (Famatech International Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rminiv3.sys -- (mirrorv3)
DRV - [2006/08/24 23:47:00 | 000,002,560 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2006/08/24 23:47:00 | 000,002,432 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/08/04 01:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/05/28 14:45:02 | 000,390,944 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2004/05/21 18:30:34 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2004/05/20 14:30:03 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/05/20 14:21:46 | 000,004,224 | ---- | M] (Compal Electronic Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hkdrv.sys -- (EPOWER)
DRV - [2004/05/18 20:36:20 | 000,036,224 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ESD7SK.sys -- (ESDCR)
DRV - [2004/05/18 18:05:26 | 000,057,216 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EMS7SK.sys -- (EMSCR)
DRV - [2004/05/11 12:53:44 | 000,330,496 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ESM7SK.sys -- (ESMCR)
DRV - [2004/05/08 23:38:06 | 000,101,833 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/05/06 16:40:08 | 000,004,816 | ---- | M] (TOSHIBA ) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ECioctl.sys -- (ECioctl)
DRV - [2004/05/05 17:53:10 | 000,006,272 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SSIOMngr.sys -- (SrvcSSIOMngr)
DRV - [2004/05/05 17:53:08 | 000,006,272 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPIOMngr.sys -- (SrvcTPIOMngr)
DRV - [2004/05/05 17:53:08 | 000,006,272 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\EPIOMngr.sys -- (SrvcEPIOMngr)
DRV - [2004/05/05 17:53:08 | 000,006,272 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\EKIOMngr.sys -- (SrvcEKIOMngr)
DRV - [2004/04/22 02:11:06 | 000,729,088 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/02/20 18:00:44 | 001,265,388 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/02/19 02:51:08 | 000,610,988 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/12/12 02:54:14 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/10/24 16:53:14 | 000,090,416 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2003/08/13 18:27:22 | 000,065,280 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnic51.sys -- (RTL8023)
DRV - [2003/06/11 11:53:22 | 000,006,867 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (TBiosDrv)
DRV - [2003/04/23 18:06:40 | 000,013,174 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\atisgkaf.sys -- (caboagp)
DRV - [2003/01/29 17:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2003/01/10 20:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/09/10 19:09:46 | 000,057,392 | ---- | M] (Macrovision) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CDANT.SYS -- (C-Dilla)
DRV - [2001/08/17 15:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1365650342-2673804759-2387553370-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
IE - HKU\S-1-5-21-1365650342-2673804759-2387553370-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p="
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/04/24 00:43:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/20 05:39:07 | 000,000,000 | ---D | M]

[2009/04/24 19:35:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\michael\Application Data\Mozilla\Extensions
[2009/04/24 19:35:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\michael\Application Data\Mozilla\Extensions\songbird@songbirdnest.com
[2011/03/14 18:07:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\b3gzntr9.default\extensions
[2006/10/08 10:54:29 | 000,000,000 | ---D | M] ("Silver Skin") -- C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\b3gzntr9.default\extensions\{2A10B180-05EF-11D9-8C50-444553540001}
[2007/05/01 19:45:04 | 000,000,000 | ---D | M] ("FoxyTunes") -- C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\b3gzntr9.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2006/10/10 10:01:05 | 000,000,000 | ---D | M] (Walnut for Firefox) -- C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\b3gzntr9.default\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
[2007/05/24 23:21:59 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\b3gzntr9.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2007/05/01 19:44:39 | 000,000,000 | ---D | M] ("Redshift V2") -- C:\Documents and Settings\michael\Application Data\Mozilla\Firefox\Profiles\b3gzntr9.default\extensions\redshift_V2@shift-themes.com
[2009/04/24 00:38:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/01/25 21:33:04 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2006/10/08 10:55:51 | 002,078,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

O1 HOSTS File: ([2003/03/31 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O3 - HKU\S-1-5-21-1365650342-2673804759-2387553370-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1365650342-2673804759-2387553370-1005\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CeEKEY] C:\Program Files\Toshiba\E-KEY\CeEKey.exe (COMPAL ELECTRONIC INC.)
O4 - HKLM..\Run: [CeEPOWER] C:\Program Files\Toshiba\Power Management\CePMTray.exe (COMPAL ELECTRONIC INC.)
O4 - HKLM..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE (Dritek System Inc.)
O4 - HKLM..\Run: [PadTouch] C:\Program Files\Toshiba\Touch and Launch\PadExe.exe (TOSHIBA)
O4 - HKLM..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPNF] C:\Program Files\Toshiba\TouchPad\TPTray.exe (COMPAL ELECTRONIC INC.)
O4 - HKU\S-1-5-21-1365650342-2673804759-2387553370-1005..\Run: [TOSCDSPD] C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsubleepa Electric Industrial Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1365650342-2673804759-2387553370-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1365650342-2673804759-2387553370-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1365650342-2673804759-2387553370-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB (TmHcmsX Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} https://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab (LogMeIn Rescue Technician Console)
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab (FixController Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159072727181 (WUWebControl Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161744160453 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} http://imlive.com/chatsource/ImlCID.cab (imlUCID Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1233928409160&h=4c24bc4303e715a47db7aef4ce0efbfb/&filename=jinstall-6u11-windows-i586-jc.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} http://72.240.51.213/activex/AxisCamControl.cab (CamImage Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/05/14 17:13:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0672c5f0-b117-11de-a647-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{0672c5f0-b117-11de-a647-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0672c5f0-b117-11de-a647-00038a000015}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{18053541-c35f-11de-a649-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{18053541-c35f-11de-a649-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{18053541-c35f-11de-a649-00038a000015}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
O33 - MountPoints2\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\Shell\AutoRun\command - "" = E:\WIN\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/15 14:09:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\michael\Desktop\Tech Utilities
[2011/03/15 09:48:56 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/03/15 09:47:48 | 000,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF15065.exe
[2011/03/15 09:47:01 | 000,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF14905.exe
[2011/03/15 09:30:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/15 09:27:48 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/15 09:27:48 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/15 09:27:48 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/15 09:22:28 | 000,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF9870.exe
[2011/03/15 09:21:59 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/15 09:18:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\michael\Recent
[2011/03/15 09:08:21 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\michael\IETldCache
[2011/03/15 00:14:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2011/03/15 00:13:00 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2011/03/15 00:08:43 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2011/03/14 19:22:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/14 19:13:14 | 000,000,000 | ---D | C] -- C:\Program Files\Tizer™ Rootkit Razor
[2011/03/14 19:13:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Tizer™ Rootkit Razor
[2011/03/14 19:03:03 | 000,000,000 | ---D | C] -- C:\Themes
[2011/03/14 18:22:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\michael\Application Data\SUPERAntiSpyware.com
[2011/03/14 18:22:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/03/14 17:46:39 | 000,743,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2011/03/14 17:46:29 | 000,470,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2011/03/14 15:32:48 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2004/05/21 18:30:31 | 000,028,672 | ---- | C] ( ) -- C:\WINDOWS\System32\ControlACS.exe
[2004/05/06 18:03:26 | 000,036,864 | ---- | C] ( ) -- C:\WINDOWS\System32\ECioctl.dll
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/15 14:30:00 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2011/03/15 14:25:03 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1365650342-2673804759-2387553370-1005UA.job
[2011/03/15 09:56:03 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/15 09:54:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/15 09:47:38 | 000,388,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF15065.exe
[2011/03/15 09:46:49 | 000,388,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF14905.exe
[2011/03/15 09:30:44 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/15 09:21:08 | 000,388,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF9870.exe
[2011/03/15 09:11:25 | 000,405,878 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/15 09:11:24 | 000,064,262 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/15 09:08:37 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\michael\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/03/15 09:01:59 | 000,286,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/14 23:25:15 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1365650342-2673804759-2387553370-1005Core.job
[2011/03/14 21:45:57 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/03/14 19:13:16 | 000,000,838 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Tizer™ Rootkit Razor.lnk
[2011/03/14 19:13:16 | 000,000,806 | ---- | M] () -- C:\Documents and Settings\michael\Application Data\Microsoft\Internet Explorer\Quick Launch\Tizer™ Rootkit Razor.lnk
[2011/03/14 19:12:54 | 001,952,768 | ---- | M] () -- C:\Documents and Settings\michael\Desktop\Tizer Rootkit Razor Setup.msi
[2011/03/14 18:19:47 | 001,952,768 | ---- | M] () -- C:\Documents and Settings\michael\Desktop\MikerktSetup.msi
[2011/03/14 15:47:41 | 000,002,392 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2011/03/14 15:41:44 | 000,002,278 | ---- | M] () -- C:\Documents and Settings\michael\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/14 15:41:42 | 000,002,300 | ---- | M] () -- C:\Documents and Settings\michael\Desktop\Google Chrome.lnk
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/15 09:30:44 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/15 09:30:36 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/15 09:27:48 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/15 09:27:48 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/15 09:27:48 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/15 09:27:48 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/15 09:27:48 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/14 19:13:16 | 000,000,838 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Tizer™ Rootkit Razor.lnk
[2011/03/14 19:13:16 | 000,000,806 | ---- | C] () -- C:\Documents and Settings\michael\Application Data\Microsoft\Internet Explorer\Quick Launch\Tizer™ Rootkit Razor.lnk
[2011/03/14 19:12:49 | 001,952,768 | ---- | C] () -- C:\Documents and Settings\michael\Desktop\Tizer Rootkit Razor Setup.msi
[2011/03/14 18:19:43 | 001,952,768 | ---- | C] () -- C:\Documents and Settings\michael\Desktop\MikerktSetup.msi
[2010/03/02 22:15:52 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\1UnHooker.sys
[2009/10/31 15:39:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SMMVSplitter.INI
[2009/10/28 01:43:58 | 000,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2009/10/28 01:43:58 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2009/10/05 00:25:08 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/04 19:54:49 | 000,000,095 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/02/03 18:02:23 | 000,038,457 | ---- | C] () -- C:\Documents and Settings\michael\Application Data\Microsoft Excel.ADR
[2009/01/26 00:30:00 | 000,000,120 | ---- | C] () -- C:\WINDOWS\CIS_Setup_3.5.57173.439_XP_Vista_x32.INI
[2009/01/03 12:25:39 | 000,026,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2008/06/23 19:49:59 | 000,000,048 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2007/11/18 15:22:28 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\imlCID.dll
[2007/05/08 15:05:24 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/03/18 23:32:02 | 000,204,848 | ---- | C] () -- C:\WINDOWS\System32\gswin32c.exe
[2007/03/07 19:38:32 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\michael\Application Data\dm.ini
[2007/02/27 02:01:22 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\michael\Local Settings\Application Data\fusioncache.dat
[2006/11/17 21:44:13 | 000,019,558 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2006/11/17 21:44:13 | 000,016,606 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2006/11/10 23:00:50 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/15 18:42:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\TPTray.INI
[2006/10/08 11:48:01 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/10/08 11:02:34 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/09/24 16:52:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CeEKey.INI
[2006/09/24 03:17:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/24 03:16:45 | 000,000,476 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/09/24 03:14:39 | 000,000,021 | ---- | C] () -- C:\WINDOWS\CS_setup.ini
[2006/09/24 01:41:39 | 000,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2006/09/24 01:21:22 | 000,002,951 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2004/05/21 19:21:39 | 000,356,352 | ---- | C] () -- C:\WINDOWS\System32\EMCRI.dll
[2004/05/21 18:30:31 | 000,241,664 | ---- | C] () -- C:\WINDOWS\System32\ControlWZCS.exe
[2004/05/21 18:30:28 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2004/05/21 18:30:28 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004/05/21 18:30:28 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\AegisI5.exe
[2004/05/21 18:30:27 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\acs.exe
[2004/05/21 18:30:06 | 000,218,003 | ---- | C] () -- C:\WINDOWS\dssec.dat
[2004/05/20 14:42:57 | 000,000,924 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/05/20 14:41:39 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2004/05/20 14:41:39 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2004/05/20 14:41:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2004/05/20 14:41:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2004/05/20 14:41:39 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2004/05/20 14:41:39 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2004/05/20 14:34:08 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/05/20 14:28:48 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/05/20 14:26:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2004/05/20 14:26:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CePMTray.INI
[2004/05/20 14:03:03 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2004/05/20 14:03:03 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2004/05/20 14:03:03 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2004/05/20 14:03:03 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2004/05/20 14:02:01 | 000,270,336 | ---- | C] () -- C:\WINDOWS\System32\PlugPlayPCIDevice.exe
[2004/05/20 14:02:01 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\MFCFirstRemove.exe
[2004/05/20 14:02:01 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\RefreshDevice.exe
[2004/05/20 13:58:19 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/05/20 13:58:19 | 000,001,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\alcxinit.dat
[2004/05/20 13:58:19 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\alcxhweq.dat
[2004/05/20 13:47:30 | 000,090,112 | ---- | C] () -- C:\WINDOWS\InstDrvr.exe
[2004/05/20 13:47:30 | 000,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2004/05/14 17:20:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/05/14 17:16:38 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/05/14 17:15:43 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/05/14 17:10:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/05/14 17:09:21 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/05/14 16:32:11 | 000,000,384 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/05/14 16:24:14 | 000,405,878 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/05/14 16:24:14 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/05/14 16:24:14 | 000,064,262 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/05/14 16:24:14 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/05/14 16:24:12 | 000,004,631 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/05/14 16:24:10 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/05/14 16:24:06 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/05/14 16:23:53 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/05/14 16:23:52 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/05/14 16:23:12 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/05/14 16:22:45 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/05/14 10:05:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/05/14 10:04:28 | 000,286,904 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/04/23 20:33:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/04/22 01:58:26 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/04/22 01:56:04 | 000,397,312 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[2003/03/09 22:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll

< End of report >


Extras.txt

OTL Extras logfile created on: 3/15/2011 2:31:42 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\michael\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 170.00 Mb Available Physical Memory | 38.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 59.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 38.50 Gb Free Space | 68.88% Space Free | Partition Type: NTFS

Computer Name: ACE | User Name: michael | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1365650342-2673804759-2387553370-1005\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe" = C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe:*:Enabled:SwiApiMux -- (Sierra Wireless, Inc.)
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (Intuit, Inc.)
"C:\Documents and Settings\michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{005F78AF-110D-398A-8430-BE98950A1E22}" = Google Talk Plugin
"{0D8363B3-74C6-4F66-86D0-7250F02FC5DF}" = AT&T Communication Manager
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{44403CE6-846A-401A-B9C9-9CE36297C549}" = Radmin Server 3.0
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{6255EA85-9BCB-4360-994C-CADADD783517}" = Tizer™ Rootkit Razor
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{753D852A-D86D-42C9-9978-40AE66FB8985}" = Driver Installer
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{9579E862-5FC7-4337-B1CC-5E37451524C5}" = Motorola Driver Installation
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = AusLogics Disk Defrag
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1BA3CD5-89DC-4273-8603-A75F33E9B335}" = Nokia Connectivity Adapter Cable DKU-5
"{FF15EC4A-4BF5-4B86-9E09-1111BFC52B72}" = Radmin Viewer 3.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner (remove only)
"ESET Online Scanner" = ESET Online Scanner v3
"Free RAR Extract Frog" = Free RAR Extract Frog
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Mozilla Firefox (3.0.9)" = Mozilla Firefox (3.0.9)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PROR" = Microsoft Office Professional 2007 Trial
"RealVNC_is1" = VNC Enterprise Edition E4.2.9
"SolveigMM Video Splitter" = SolveigMM Video Splitter
"Songbird 20090331" = Songbird 1.1.2 (20090331)
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.3
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1365650342-2673804759-2387553370-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/13/2011 10:01:41 PM | Computer Name = ACE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/14/2011 3:30:38 PM | Computer Name = ACE | Source = MsiInstaller | ID = 11704
Description = Product: Google Talk Plugin -- Error 1704. An installation for Microsoft
.NET Framework 2.0 Service Pack 2 is currently suspended. You must undo the changes
made by that installation to continue. Do you want to undo those changes?

Error - 3/14/2011 3:31:02 PM | Computer Name = ACE | Source = MsiInstaller | ID = 11712
Description = Product: Google Talk Plugin -- Error 1712. One or more of the files
required to restore your computer to its previous state could not be found. Restoration
will not be possible.

Error - 3/14/2011 4:03:45 PM | Computer Name = ACE | Source = ESENT | ID = 490
Description = svchost (1072) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 3/14/2011 4:03:45 PM | Computer Name = ACE | Source = ESENT | ID = 439
Description = Catalog Database (1072) Unable to write a shadowed header for file
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb. Error
-1032.

Error - 3/14/2011 4:03:45 PM | Computer Name = ACE | Source = ESENT | ID = 473
Description = Catalog Database (1072) Database C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
was partially detached. Error -1032 encountered updating database headers.

Error - 3/14/2011 5:53:09 PM | Computer Name = ACE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/14/2011 5:53:09 PM | Computer Name = ACE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/14/2011 6:19:18 PM | Computer Name = ACE | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\michael\Local Settings\Temporary
Internet Files\Content.IE5\8C5VXIQU\Tizer%20Rootkit%20Razor%20Setup[1].msi is not
permitted due to an error in software restriction policy processing. The object
cannot be trusted.

Error - 3/14/2011 6:19:47 PM | Computer Name = ACE | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\michael\Desktop\MikerktSetup.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

[ System Events ]
Error - 3/15/2011 9:31:46 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7034
Description = The MySQL service terminated unexpectedly. It has done this 1 time(s).

Error - 3/15/2011 9:31:46 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7034
Description = The Swupdtmr service terminated unexpectedly. It has done this 1
time(s).

Error - 3/15/2011 9:39:41 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 3/15/2011 9:39:43 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL

Error - 3/15/2011 9:48:53 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7034
Description = The C-DillaSrv service terminated unexpectedly. It has done this
1 time(s).

Error - 3/15/2011 9:50:57 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7034
Description = The Atheros Configuration Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/15/2011 9:50:57 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7034
Description = The Swupdtmr service terminated unexpectedly. It has done this 1
time(s).

Error - 3/15/2011 9:50:58 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7034
Description = The MySQL service terminated unexpectedly. It has done this 1 time(s).

Error - 3/15/2011 9:55:42 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 3/15/2011 9:55:50 AM | Computer Name = ACE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASDIFSV SASKUTIL


< End of report >


Thanks

M

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:03:10 PM

Posted 15 March 2011 - 01:49 PM

Hello,

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
    FF - prefs.js..network.proxy.type: 1
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKU\S-1-5-21-1365650342-2673804759-2387553370-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
    O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab (Java Plug-in 1.5.0_03)
    O33 - MountPoints2\{0672c5f0-b117-11de-a647-00038a000015}\Shell - "" = AutoRun
    O33 - MountPoints2\{0672c5f0-b117-11de-a647-00038a000015}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{0672c5f0-b117-11de-a647-00038a000015}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
    O33 - MountPoints2\{18053541-c35f-11de-a649-00038a000015}\Shell - "" = AutoRun
    O33 - MountPoints2\{18053541-c35f-11de-a649-00038a000015}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{18053541-c35f-11de-a649-00038a000015}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
    O33 - MountPoints2\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\Shell - "" = AutoRun
    O33 - MountPoints2\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\Shell\AutoRun\command - "" = E:\WIN\setup.exe
    [2011/03/14 15:32:48 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
    [10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2011/03/14 15:47:41 | 000,002,392 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 infinite12

infinite12
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 15 March 2011 - 02:34 PM

OTL log


All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Service PEVSystemStart stopped successfully!
Service PEVSystemStart deleted successfully!
Prefs.js: 1 removed from network.proxy.type
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-1365650342-2673804759-2387553370-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Starting removal of ActiveX control {67DABFBF-D0AB-41FA-9C46-CC0F21721616}
C:\WINDOWS\Downloaded Program Files\DivXPlugin.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67DABFBF-D0AB-41FA-9C46-CC0F21721616}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0672c5f0-b117-11de-a647-00038a000015}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0672c5f0-b117-11de-a647-00038a000015}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0672c5f0-b117-11de-a647-00038a000015}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0672c5f0-b117-11de-a647-00038a000015}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0672c5f0-b117-11de-a647-00038a000015}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0672c5f0-b117-11de-a647-00038a000015}\ not found.
File E:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{18053541-c35f-11de-a649-00038a000015}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18053541-c35f-11de-a649-00038a000015}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{18053541-c35f-11de-a649-00038a000015}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18053541-c35f-11de-a649-00038a000015}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{18053541-c35f-11de-a649-00038a000015}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18053541-c35f-11de-a649-00038a000015}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2d1b5a1a-d9b2-11dd-a612-00038a000015}\ not found.
File E:\WIN\setup.exe not found.
C:\WINDOWS\system32\Agent.OMZ.Fix.exe moved successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET5A.tmp deleted successfully.
C:\WINDOWS\System32\SET66.tmp deleted successfully.
C:\WINDOWS\System32\SET6F.tmp deleted successfully.
C:\WINDOWS\System32\SET70.tmp deleted successfully.
C:\WINDOWS\System32\SET71.tmp deleted successfully.
C:\WINDOWS\System32\SET73.tmp deleted successfully.
C:\WINDOWS\System32\SET74.tmp deleted successfully.
C:\WINDOWS\System32\SETA6.tmp deleted successfully.
C:\WINDOWS\System32\setb5.tmp deleted successfully.
C:\WINDOWS\002376_.tmp deleted successfully.
C:\WINDOWS\system32\tmp.reg moved successfully.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\michael\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\michael\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (54622603796545536)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: michael
->Temp folder emptied: 804212 bytes
->Temporary Internet Files folder emptied: 6186664 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3057856 bytes
->Google Chrome cache emptied: 32726965 bytes
->Flash cache emptied: 343 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33251 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34093 bytes
RecycleBin emptied: 380688198 bytes

Total Files Cleaned = 404.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: michael
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03152011_145422


Trying to run the Combofix but it is freezing...

Any advice??

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:03:10 PM

Posted 15 March 2011 - 02:37 PM

Try running it in Safe Mode.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users