Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirect problem


  • This topic is locked This topic is locked
18 replies to this topic

#1 AAS

AAS

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 16 March 2011 - 01:06 PM

I have recently encountered the (apparently) well know search engine malware problem. It affects both Firefox and IE - although slightly differently. In Firefox any "click" brings up a shopping site with somewhat related topics. In IE, the redirect is to a travel site. Copying the desired site URL and pasting it results in a correct call.

The DDS:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Alan at 13:14:25.03 on Wed 03/16/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2815.1994 [GMT -4:00]
.
AV: Trend Micro Internet Security Pro *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\WINDOWS\MXOALDR.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
F:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
F:\Program Files\Canon\MyPrinter\BJMyPrt.exe
F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
F:\Palm\HOTSYNC.EXE
F:\Program Files\Common Files\Nuance\dgnsvc.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
F:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe
F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\MsPMSPSv.exe
F:\Program Files\Trend Micro\Internet Security\TmProxy.exe
F:\Program Files\Trend Micro\Internet Security\TmPfw.exe
F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
F:\Program Files\Trend Micro\BM\TMBMSRV.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
F:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Mozilla Firefox\plugin-container.exe
F:\Program Files\Mozilla Thunderbird\thunderbird.exe
F:\Documents and Settings\Alan\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - f:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - f:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [ISUSPM] f:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [OE] "f:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
mRun: [SunJavaUpdateSched] "f:\program files\common files\java\java update\jusched.exe"
mRun: [MXO Auto Loader] f:\windows\MXOALDR.EXE
mRun: [nwiz] f:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [IJNetworkScanUtility] f:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [DNS7reminder] "f:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "f:\documents and settings\all users\application data\nuance\naturallyspeaking11\Ereg.ini
mRun: [QuickTime Task] "f:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Nikon Transfer Monitor] f:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [RoxioEngineUtility] "f:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [CanonMyPrinter] f:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] f:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [UfSeAgnt.exe] "f:\program files\trend micro\internet security\UfSeAgnt.exe"
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - f:\palm\HOTSYNC.EXE
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - f:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - f:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - f:\docume~1\alan\applic~1\mozilla\firefox\profiles\2b0y7odi.default\
FF - prefs.js: browser.startup.homepage - hxxp://online.wsj.com/home-page?mg=com-wsj
FF - component: f:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFTMUFEHelper.dll
FF - component: f:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFToolbarComm.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - f:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - f:\program files\trend micro\trendsecure\tisprotoolbar\FirefoxExtension
.
============= SERVICES / DRIVERS ===============
.
R2 DragonSvc;Dragon Service;f:\program files\common files\nuance\dgnsvc.exe [2010-7-23 296808]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;f:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-2-14 632792]
R2 tmpreflt;tmpreflt;f:\windows\system32\drivers\tmpreflt.sys [2011-2-4 36432]
R3 tmcfw;Trend Micro Common Firewall Service;f:\windows\system32\drivers\TM_CFW.sys [2011-2-4 339984]
R3 tmevtmgr;tmevtmgr;f:\windows\system32\drivers\tmevtmgr.sys [2011-2-4 51792]
R3 TmPfw;Trend Micro Personal Firewall;f:\program files\trend micro\internet security\TmPfw.exe [2011-2-4 497008]
R3 TmProxy;Trend Micro Proxy Service;f:\program files\trend micro\internet security\TmProxy.exe [2011-2-4 689416]
S2 mrtRate;mrtRate; [x]
.
=============== Created Last 30 ================
.
2011-03-16 14:52:16 388096 ----a-r- f:\docume~1\alan\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-15 19:39:10 -------- d-----w- f:\documents and settings\alan\.unlimitedftp
2011-03-15 01:18:20 -------- d-----w- f:\docume~1\alan\applic~1\MozillaControl
2011-03-15 01:10:29 -------- d-----w- f:\program files\H&R Block Business 2010
2011-03-04 15:49:48 -------- d-----w- f:\docume~1\alan\applic~1\Malwarebytes
2011-03-04 15:49:38 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 15:49:37 -------- d-----w- f:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-04 15:49:34 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2011-03-04 15:49:28 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2011-02-23 15:46:37 135168 --sha-r- f:\windows\system32\bootvid4.dll
2011-02-22 02:39:42 7552 -c--a-w- f:\windows\system32\dllcache\sonypvu1.sys
2011-02-22 02:39:42 7552 ----a-w- f:\windows\system32\drivers\SONYPVU1.SYS
2011-02-15 04:02:55 -------- d-----w- f:\docume~1\alan\applic~1\Registry Mechanic
2011-02-15 03:59:47 880640 ----a-w- f:\windows\system32\UniBox10.ocx
2011-02-15 03:59:47 37336 ----a-w- f:\windows\system32\CleanMFT32.exe
2011-02-15 03:59:47 212992 ----a-w- f:\windows\system32\UniBoxVB12.ocx
2011-02-15 03:59:47 1101824 ----a-w- f:\windows\system32\UniBox210.ocx
2011-02-15 03:59:42 -------- d-----w- f:\program files\common files\PC Tools
.
==================== Find3M ====================
.
2011-03-06 15:08:54 952 --sha-w- f:\windows\system32\KGyGaAvL.sys
2011-02-04 16:49:13 661808 ----a-w- f:\windows\system32\UfWSC.cpl
.
============= FINISH: 13:14:52.20 ===============

GMER:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-16 13:51:21
Windows 5.1.2600 Service Pack 2 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-22 WDC_WD1001FALS-75J7B0 rev.05.00K05
Running: gmer.exe; Driver: F:\DOCUME~1\Alan\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT 89599CE0 ZwCreateKey
SSDT 8959AE80 ZwCreateMutant
SSDT 895991E0 ZwCreateProcess
SSDT 895994A0 ZwCreateProcessEx
SSDT 8959AB40 ZwCreateThread
SSDT 8959A260 ZwDeleteKey
SSDT 8959A520 ZwDeleteValueKey
SSDT 8959ACE0 ZwLoadDriver
SSDT 89599760 ZwOpenProcess
SSDT 8959B020 ZwSetSystemInformation
SSDT 89599FA0 ZwSetValueKey
SSDT 89599A20 ZwTerminateProcess
SSDT 8959A9A0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text F:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB72853A0, 0x59FFE5, 0xE8000020]
? F:\DOCUME~1\Alan\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text F:\Program Files\Mozilla Firefox\plugin-container.exe[1628] USER32.dll!TrackPopupMenu 77D94F16 5 Bytes JMP 10406373 F:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 F:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 012EB3C6
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] WS2_32.dll!send 71AB428A 5 Bytes JMP 012EBE2F
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 012EC050
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 012EB309
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] WS2_32.dll!recv 71AB615A 5 Bytes JMP 012EBED5
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 012EBF7F
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 012EC146
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] WS2_32.dll!WSAAsyncGetHostByName 71ABE985 5 Bytes JMP 012EB75C
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] USER32.dll!DrawTextW 77D4FF89 5 Bytes JMP 012EC55D
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] USER32.dll!DrawTextExW 77D505D2 5 Bytes JMP 012EC721
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 012EB837
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] USER32.dll!DrawTextA 77D65D61 5 Bytes JMP 012EC481
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] USER32.dll!DrawTextExA 77D65D98 5 Bytes JMP 012EC639
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] USER32.dll!SetClipboardData 77D6FF10 5 Bytes JMP 012EC1D4
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] GDI32.dll!TextOutW 77F17CE8 5 Bytes JMP 012EC3B4
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] GDI32.dll!ExtTextOutW 77F17EC6 5 Bytes JMP 012EC8EE
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] GDI32.dll!ExtTextOutA 77F19012 5 Bytes JMP 012EC809
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] GDI32.dll!TextOutA 77F1C449 5 Bytes JMP 012EC2E7
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] GDI32.dll!GetGlyphIndicesA 77F3CBA5 5 Bytes JMP 012ECCA5
.text F:\Program Files\Mozilla Firefox\firefox.exe[2788] GDI32.dll!GetGlyphIndicesW 77F506E2 5 Bytes JMP 012ECD6F

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----


Attached File  DDS to be zipped.txt   3.63KB   1 downloads

Thank you

AAS

BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:56 PM

Posted 21 March 2011 - 08:08 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 AAS

AAS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 21 March 2011 - 09:33 AM

Thank you for the response. I understand the issue of workload and am very grateful for your assistance. I do have the original XP Pro disk. You will note that the files attached indicate that "F" is thew root drive on my system - this is the result of a port selection error when a failed HDD was replaced. Per your instructions:

DDS (Ver_11-03-05.01) - NTFSx86
Run by Alan at 9:23:27.04 on Mon 03/21/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2815.1756 [GMT -4:00]
.
AV: Trend Micro Internet Security Pro *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\WINDOWS\MXOALDR.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
F:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
F:\Program Files\Canon\MyPrinter\BJMyPrt.exe
F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
F:\Palm\HOTSYNC.EXE
F:\Program Files\Common Files\Nuance\dgnsvc.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
F:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe
F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\MsPMSPSv.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\Trend Micro\Internet Security\TmProxy.exe
F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
F:\Program Files\Trend Micro\Internet Security\TmPfw.exe
F:\Program Files\Trend Micro\BM\TMBMSRV.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
F:\Program Files\Common Files\Java\Java Update\jucheck.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Thunderbird\thunderbird.exe
F:\Program Files\Mozilla Firefox\plugin-container.exe
F:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
F:\Program Files\Trend Micro\Internet Security\TMAS_OL\TMAS_OL.exe
F:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\agent.exe
F:\Documents and Settings\Alan\My Documents\Downloads\dds(2).scr
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - f:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - f:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [ISUSPM] f:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [OE] "f:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
mRun: [SunJavaUpdateSched] "f:\program files\common files\java\java update\jusched.exe"
mRun: [MXO Auto Loader] f:\windows\MXOALDR.EXE
mRun: [nwiz] f:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [IJNetworkScanUtility] f:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [DNS7reminder] "f:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "f:\documents and settings\all users\application data\nuance\naturallyspeaking11\Ereg.ini
mRun: [QuickTime Task] "f:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Nikon Transfer Monitor] f:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [RoxioEngineUtility] "f:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [CanonMyPrinter] f:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] f:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [UfSeAgnt.exe] "f:\program files\trend micro\internet security\UfSeAgnt.exe"
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - f:\palm\HOTSYNC.EXE
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - f:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - f:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - f:\docume~1\alan\applic~1\mozilla\firefox\profiles\2b0y7odi.default\
FF - prefs.js: browser.startup.homepage - hxxp://online.wsj.com/home-page?mg=com-wsj
FF - component: f:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFTMUFEHelper.dll
FF - component: f:\program files\trend micro\trendsecure\tisprotoolbar\firefoxextension\components\FFToolbarComm.dll
FF - plugin: f:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - f:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - f:\program files\trend micro\trendsecure\tisprotoolbar\FirefoxExtension
.
============= SERVICES / DRIVERS ===============
.
R2 DragonSvc;Dragon Service;f:\program files\common files\nuance\dgnsvc.exe [2010-7-23 296808]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;f:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-2-14 632792]
R2 tmpreflt;tmpreflt;f:\windows\system32\drivers\tmpreflt.sys [2011-2-4 36432]
R3 tmcfw;Trend Micro Common Firewall Service;f:\windows\system32\drivers\TM_CFW.sys [2011-2-4 339984]
R3 tmevtmgr;tmevtmgr;f:\windows\system32\drivers\tmevtmgr.sys [2011-2-4 51792]
R3 TmPfw;Trend Micro Personal Firewall;f:\program files\trend micro\internet security\TmPfw.exe [2011-2-4 497008]
R3 TmProxy;Trend Micro Proxy Service;f:\program files\trend micro\internet security\TmProxy.exe [2011-2-4 689416]
S2 mrtRate;mrtRate; [x]
.
=============== Created Last 30 ================
.
2011-03-16 14:52:16 388096 ----a-r- f:\docume~1\alan\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-15 19:39:10 -------- d-----w- f:\documents and settings\alan\.unlimitedftp
2011-03-15 01:18:20 -------- d-----w- f:\docume~1\alan\applic~1\MozillaControl
2011-03-15 01:10:29 -------- d-----w- f:\program files\H&R Block Business 2010
2011-03-04 15:49:48 -------- d-----w- f:\docume~1\alan\applic~1\Malwarebytes
2011-03-04 15:49:38 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 15:49:37 -------- d-----w- f:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-04 15:49:34 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2011-03-04 15:49:28 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2011-02-23 15:46:37 135168 --sha-r- f:\windows\system32\bootvid4.dll
2011-02-22 02:39:42 7552 -c--a-w- f:\windows\system32\dllcache\sonypvu1.sys
2011-02-22 02:39:42 7552 ----a-w- f:\windows\system32\drivers\SONYPVU1.SYS
.
==================== Find3M ====================
.
2011-03-06 15:08:54 952 --sha-w- f:\windows\system32\KGyGaAvL.sys
2011-02-04 16:49:13 661808 ----a-w- f:\windows\system32\UfWSC.cpl
.
============= FINISH: 9:23:55.71 ===============


DDS attach is available if requested.

Thank you for your help!

Alan Schwartz

Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:56 PM

Posted 22 March 2011 - 07:41 AM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please don't make any further changes or run any other tools unless instructed to. Additional changes may hinder the cleaning of your machine.

When asked to copy logs or reports into your reply, please copy them directly into your reply. Do not include them in quotes. Do not attach them unless asked to do so. In Notepad, please turn off Word Wrap under the Format menu.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Please give me some time to look over your log. I will post the reply as soon as possible.
Shannon

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:56 PM

Posted 22 March 2011 - 09:51 AM

Hi-

Need to check to see if a file is infected or not -


Before we start
, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following file and click the Submit file button within Jotti.

f:\windows\system32\bootvid4.dll

If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Next, please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Then, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, please copy in the contents of the MBAM report and the two OTL reports. Let me know how the Jotti upload went - you can just copy in the link to its output report.
Shannon

#6 AAS

AAS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 22 March 2011 - 12:43 PM

Thanks

I followed your instructions

1. re bootvid4.dll Joti reported "file empty 0 bytes"

2. Malware bytes reported no instances

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6132

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/22/2011 12:36:15 PM
mbam-log-2011-03-22 (12-36-15).txt

Scan type: Full scan (F:\|)
Objects scanned: 190826
Time elapsed: 27 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL reports:

OTL logfile created on: 3/22/2011 12:39:17 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = F:\Documents and Settings\Alan\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 56.00% Memory free
5.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): F:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\WINDOWS | %ProgramFiles% = F:\Program Files
Drive C: | 931.51 Gb Total Space | 661.73 Gb Free Space | 71.04% Space Free | Partition Type: NTFS
Drive F: | 298.08 Gb Total Space | 283.41 Gb Free Space | 95.08% Space Free | Partition Type: NTFS
Drive G: | 111.79 Gb Total Space | 0.14 Gb Free Space | 0.13% Space Free | Partition Type: NTFS

Computer Name: DAD | User Name: Alan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/22 12:38:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\Alan\My Documents\Downloads\OTL.exe
PRC - [2011/03/12 19:27:00 | 000,912,344 | ---- | M] (Mozilla Corporation) -- F:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/03/12 18:55:48 | 012,587,696 | ---- | M] (Mozilla Messaging) -- F:\Program Files\Mozilla Thunderbird\thunderbird.exe
PRC - [2011/02/04 12:49:09 | 000,689,416 | ---- | M] () -- F:\Program Files\Trend Micro\Internet Security\TmProxy.exe
PRC - [2011/02/04 12:49:09 | 000,497,008 | ---- | M] () -- F:\Program Files\Trend Micro\Internet Security\TmPfw.exe
PRC - [2011/02/04 12:49:09 | 000,492,808 | ---- | M] (Trend Micro Inc.) -- F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
PRC - [2011/02/04 12:49:09 | 000,345,352 | ---- | M] () -- F:\Program Files\Trend Micro\BM\TMBMSRV.exe
PRC - [2010/12/20 19:08:46 | 000,963,976 | ---- | M] (Malwarebytes Corporation) -- F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2010/11/08 12:40:56 | 000,715,440 | ---- | M] () -- F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
PRC - [2010/10/01 14:27:22 | 000,632,792 | ---- | M] (PC Tools) -- F:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
PRC - [2010/08/23 23:36:28 | 000,116,016 | ---- | M] (Sonic Solutions) -- F:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe
PRC - [2010/08/23 09:11:28 | 000,206,240 | ---- | M] (CANON INC.) -- F:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
PRC - [2010/07/23 13:24:48 | 000,296,808 | ---- | M] (Nuance Communications, Inc.) -- F:\Program Files\Common Files\Nuance\dgnsvc.exe
PRC - [2010/07/23 12:50:49 | 000,222,496 | ---- | M] (Acresso Corporation) -- F:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
PRC - [2010/07/23 12:50:46 | 001,152,288 | ---- | M] (Acresso Corporation) -- F:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\agent.exe
PRC - [2010/02/18 11:43:20 | 000,490,728 | ---- | M] (Sun Microsystems, Inc.) -- F:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/01/26 05:08:10 | 001,099,016 | ---- | M] (Trend Micro Inc.) -- F:\Program Files\Trend Micro\Internet Security\TMAS_OL\TMAS_OL.exe
PRC - [2010/01/26 03:40:32 | 001,020,248 | ---- | M] () -- F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
PRC - [2010/01/04 05:59:46 | 000,083,280 | ---- | M] () -- F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
PRC - [2009/11/01 22:30:00 | 002,508,104 | ---- | M] (CANON INC.) -- F:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/09/15 19:47:36 | 000,479,232 | ---- | M] (Nikon Corporation) -- F:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2009/07/27 05:30:25 | 000,157,008 | ---- | M] (Trend Micro Inc.) -- F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\platformdependent\ProToolbarComm.exe
PRC - [2009/07/24 21:02:47 | 000,185,680 | ---- | M] (Trend Micro Inc.) -- F:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
PRC - [2005/08/17 10:00:00 | 003,887,104 | ---- | M] (Corel, Inc.) -- F:\Program Files\Corel\Corel Paint Shop Pro X\Paint Shop Pro X.exe
PRC - [2004/08/04 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\explorer.exe
PRC - [2004/01/29 00:36:04 | 000,024,576 | ---- | M] (Intuit Inc.) -- F:\Program Files\Quicken\qw.exe
PRC - [2003/04/07 18:09:48 | 000,118,784 | ---- | M] (Cypress Semiconductor) -- F:\WINDOWS\MXOALDR.EXE
PRC - [2001/03/12 16:01:00 | 000,299,008 | ---- | M] (Palm, Inc.) -- F:\Palm\HOTSYNC.EXE
PRC - [1999/02/01 18:53:24 | 000,405,560 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Microsoft Office\Office\1033\MSOFFICE.EXE
PRC - [1998/12/16 16:09:20 | 000,057,393 | R--- | M] (Microsoft Corporation) -- F:\Program Files\Microsoft Office\Office\OUTLOOK.EXE


========== Modules (SafeList) ==========

MOD - [2011/03/22 12:38:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\Alan\My Documents\Downloads\OTL.exe
MOD - [2011/02/04 12:49:11 | 000,128,264 | ---- | M] () -- F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEHook.dll
MOD - [2004/08/04 08:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/02/04 12:49:09 | 000,689,416 | ---- | M] () [On_Demand | Running] -- F:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy)
SRV - [2011/02/04 12:49:09 | 000,497,008 | ---- | M] () [On_Demand | Running] -- F:\Program Files\Trend Micro\Internet Security\TmPfw.exe -- (TmPfw)
SRV - [2011/02/04 12:49:09 | 000,345,352 | ---- | M] () [On_Demand | Running] -- F:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer)
SRV - [2010/11/08 12:40:56 | 000,715,440 | ---- | M] () [Auto | Running] -- F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom)
SRV - [2010/10/01 14:27:22 | 000,632,792 | ---- | M] (PC Tools) [Auto | Running] -- F:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2010/08/23 23:36:34 | 000,169,264 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- F:\Program Files\Retrospect\Retrospect 7.7\rthlpsvc.exe -- (Retrospect Helper)
SRV - [2010/08/23 23:36:28 | 000,116,016 | ---- | M] (Sonic Solutions) [Auto | Running] -- F:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe -- (RetroLauncher)
SRV - [2010/07/23 13:24:48 | 000,296,808 | ---- | M] (Nuance Communications, Inc.) [Auto | Running] -- F:\Program Files\Common Files\Nuance\dgnsvc.exe -- (DragonSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/02/04 12:49:11 | 000,339,984 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2011/02/04 12:49:11 | 000,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- F:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2010/12/01 15:06:29 | 000,108,104 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2010/10/25 18:05:14 | 000,012,928 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2010/10/25 18:05:13 | 000,033,536 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2010/07/30 13:29:10 | 000,249,424 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- F:\WINDOWS\system32\drivers\tmxpflt.sys -- (tmxpflt)
DRV - [2010/07/30 13:29:00 | 000,036,432 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- F:\WINDOWS\system32\drivers\tmpreflt.sys -- (tmpreflt)
DRV - [2010/07/30 13:06:08 | 001,331,512 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- F:\WINDOWS\system32\drivers\vsapint.sys -- (vsapint)
DRV - [2010/07/19 14:03:10 | 000,059,472 | ---- | M] () [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2010/07/19 14:03:00 | 000,051,792 | ---- | M] () [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2010/07/19 14:02:54 | 000,163,408 | ---- | M] () [Kernel | Auto | Running] -- F:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2003/09/24 15:02:58 | 000,213,120 | ---- | M] (Roxio) [File_System | System | Running] -- F:\WINDOWS\System32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/09/24 15:02:58 | 000,146,560 | ---- | M] (Roxio) [File_System | System | Running] -- F:\WINDOWS\System32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp)
DRV - [2003/09/24 15:02:58 | 000,067,024 | ---- | M] (Roxio) [Kernel | System | Running] -- F:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2003/09/24 15:02:58 | 000,024,698 | ---- | M] (Roxio) [Kernel | System | Running] -- F:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2003/09/24 15:02:56 | 000,260,224 | ---- | M] (Roxio) [File_System | System | Running] -- F:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2003/09/24 15:02:56 | 000,118,409 | ---- | M] (Roxio) [Kernel | System | Running] -- F:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2003/09/24 15:02:56 | 000,022,777 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- F:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/09/24 15:02:56 | 000,021,993 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- F:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/04/14 16:00:40 | 000,032,512 | ---- | M] (Cypress Semiconductor) [Kernel | On_Demand | Running] -- F:\WINDOWS\system32\drivers\MXOFX.SYS -- (MXOFX) USB Storage Adapter FX (MXO)
DRV - [2001/03/12 16:01:00 | 000,010,741 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- F:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [1999/09/10 07:06:00 | 000,025,244 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- F:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2025429265-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://online.wsj.com/home-page?mg=com-wsj"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {22181a4d-af90-4ca3-a569-faed9118d6bc}:1.6.0.1161

FF - HKLM\software\mozilla\Firefox\extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: F:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1381\6.5.1234\firefoxextension\
FF - HKLM\software\mozilla\Firefox\extensions\\{22181a4d-af90-4ca3-a569-faed9118d6bc}: F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension [2011/03/19 14:15:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: F:\Program Files\Mozilla Firefox\components [2011/03/12 19:27:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: F:\Program Files\Mozilla Firefox\plugins [2011/03/12 19:27:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Components: F:\Program Files\Mozilla Thunderbird\components [2011/03/12 18:55:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Plugins: F:\Program Files\Mozilla Thunderbird\plugins

[2010/10/25 19:46:37 | 000,000,000 | ---D | M] (No name found) -- F:\Documents and Settings\Alan\Application Data\Mozilla\Extensions
[2010/10/25 19:46:37 | 000,000,000 | ---D | M] (No name found) -- F:\Documents and Settings\Alan\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/11/04 13:11:54 | 000,000,000 | ---D | M] (No name found) -- F:\Documents and Settings\Alan\Application Data\Mozilla\Firefox\Profiles\2b0y7odi.default\extensions
[2011/03/19 19:07:34 | 000,000,000 | ---D | M] (No name found) -- F:\Program Files\Mozilla Firefox\extensions
[2010/10/25 21:49:05 | 000,000,000 | ---D | M] (Java Console) -- F:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/25 21:48:57 | 000,000,000 | ---D | M] (Java Quick Starter) -- F:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/19 14:15:05 | 000,000,000 | ---D | M] (Trend Micro Toolbar) -- F:\PROGRAM FILES\TREND MICRO\TRENDSECURE\TISPROTOOLBAR\FIREFOXEXTENSION
[2010/10/25 21:48:56 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- F:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - F:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (Trend Micro Inc.)
O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (Trend Micro Inc.)
O4 - HKLM..\Run: [CanonMyPrinter] F:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] F:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [DNS7reminder] F:\Program Files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [IJNetworkScanUtility] F:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [MXO Auto Loader] F:\WINDOWS\MXOALDR.EXE (Cypress Semiconductor)
O4 - HKLM..\Run: [Nikon Transfer Monitor] F:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [NvCplDaemon] F:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] F:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] F:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [RoxioEngineUtility] F:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe (Roxio)
O4 - HKLM..\Run: [UfSeAgnt.exe] F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe ()
O4 - HKU\S-1-5-21-2025429265-2077806209-725345543-1003..\Run: [ISUSPM] F:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe (Acresso Corporation)
O4 - HKU\S-1-5-21-2025429265-2077806209-725345543-1003..\Run: [OE] F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.LNK = F:\Palm\HOTSYNC.EXE (Palm, Inc.)
O4 - Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2025429265-2077806209-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.242.0.12 71.252.0.12
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - F:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: F:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: F:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/10/25 15:50:32 | 000,000,000 | ---- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk /r \??\G:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/16 10:52:16 | 000,000,000 | ---D | C] -- F:\Documents and Settings\Alan\Start Menu\Programs\HiJackThis
[2011/03/15 15:39:10 | 000,000,000 | ---D | C] -- F:\Documents and Settings\Alan\.unlimitedftp
[2011/03/14 21:18:20 | 000,000,000 | ---D | C] -- F:\Documents and Settings\Alan\Application Data\MozillaControl
[2011/03/14 21:10:49 | 000,000,000 | ---D | C] -- F:\Documents and Settings\Alan\Start Menu\Programs\H&R Block Business 2010
[2011/03/14 21:10:29 | 000,000,000 | ---D | C] -- F:\Program Files\H&R Block Business 2010
[2011/03/04 11:49:48 | 000,000,000 | ---D | C] -- F:\Documents and Settings\Alan\Application Data\Malwarebytes
[2011/03/04 11:49:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- F:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/03/04 11:49:38 | 000,000,000 | ---D | C] -- F:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/04 11:49:37 | 000,000,000 | ---D | C] -- F:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/03/04 11:49:34 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- F:\WINDOWS\System32\drivers\mbam.sys
[2011/03/04 11:49:28 | 000,000,000 | ---D | C] -- F:\Program Files\Malwarebytes' Anti-Malware
[2011/02/21 22:39:42 | 000,007,552 | ---- | C] (Sony Corporation) -- F:\WINDOWS\System32\dllcache\sonypvu1.sys
[3 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp -> ]
[1 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/22 09:00:03 | 000,000,442 | ---- | M] () -- F:\WINDOWS\tasks\RMSmartUpdate.job
[2011/03/21 16:22:25 | 000,000,054 | ---- | M] () -- F:\WINDOWS\CmdFile.INI
[2011/03/21 14:25:15 | 000,001,425 | ---- | M] () -- F:\WINDOWS\QUICKEN.INI
[2011/03/19 14:15:18 | 000,000,312 | -HS- | M] () -- F:\WINDOWS\tasks\enpdgb.job
[2011/03/19 14:15:17 | 000,013,646 | ---- | M] () -- F:\WINDOWS\System32\wpa.dbl
[2011/03/19 14:15:14 | 000,002,048 | --S- | M] () -- F:\WINDOWS\bootstat.dat
[2011/03/16 12:52:22 | 000,002,445 | ---- | M] () -- F:\Documents and Settings\Alan\Desktop\HiJackThis.lnk
[2011/03/16 11:03:27 | 000,243,128 | ---- | M] () -- F:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/14 21:17:43 | 000,392,626 | ---- | M] () -- F:\WINDOWS\System32\perfh009.dat
[2011/03/14 21:17:43 | 000,058,800 | ---- | M] () -- F:\WINDOWS\System32\perfc009.dat
[2011/03/14 21:10:49 | 000,000,840 | ---- | M] () -- F:\Documents and Settings\Alan\Desktop\H&R Block Business 2010.LNK
[2011/03/06 11:08:54 | 000,000,952 | -HS- | M] () -- F:\WINDOWS\System32\KGyGaAvL.sys
[2011/03/04 11:49:38 | 000,000,784 | ---- | M] () -- F:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/03 13:14:22 | 000,002,275 | ---- | M] () -- F:\Documents and Settings\Alan\Application Data\SAS7_000.DAT
[2011/03/03 11:43:10 | 002,498,560 | ---- | M] () -- F:\Documents and Settings\Alan\s-1-5-21-2025429265-2077806209-725345543-1003.rrr
[2011/02/23 11:46:37 | 000,135,168 | RHS- | M] () -- F:\WINDOWS\System32\bootvid4.dll
[3 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp -> ]
[1 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/16 10:52:16 | 000,002,445 | ---- | C] () -- F:\Documents and Settings\Alan\Desktop\HiJackThis.lnk
[2011/03/14 21:10:49 | 000,000,840 | ---- | C] () -- F:\Documents and Settings\Alan\Desktop\H&R Block Business 2010.LNK
[2011/03/04 11:49:38 | 000,000,784 | ---- | C] () -- F:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/23 11:46:38 | 000,000,312 | -HS- | C] () -- F:\WINDOWS\tasks\enpdgb.job
[2011/02/23 11:46:37 | 000,135,168 | RHS- | C] () -- F:\WINDOWS\System32\bootvid4.dll
[2011/02/14 23:59:47 | 000,037,336 | ---- | C] () -- F:\WINDOWS\System32\CleanMFT32.exe
[2011/02/04 12:51:18 | 000,163,408 | ---- | C] () -- F:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 12:51:18 | 000,059,472 | ---- | C] () -- F:\WINDOWS\System32\drivers\tmactmon.sys
[2011/02/04 12:51:18 | 000,051,792 | ---- | C] () -- F:\WINDOWS\System32\drivers\tmevtmgr.sys
[2011/02/01 14:20:40 | 000,000,082 | ---- | C] () -- F:\WINDOWS\TmProxy.ini
[2011/02/01 14:20:40 | 000,000,082 | ---- | C] () -- F:\WINDOWS\TmPfw.ini
[2011/02/01 14:20:40 | 000,000,018 | ---- | C] () -- F:\WINDOWS\aucfg.ini
[2011/01/24 01:33:52 | 000,000,056 | -H-- | C] () -- F:\WINDOWS\System32\ezsidmv.dat
[2011/01/19 14:52:30 | 000,000,133 | ---- | C] () -- F:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2010/12/02 16:49:09 | 000,000,080 | -HS- | C] () -- F:\Documents and Settings\All Users\Application Data\.zreglib
[2010/11/18 14:25:08 | 000,002,275 | ---- | C] () -- F:\Documents and Settings\Alan\Application Data\SAS7_000.DAT
[2010/11/11 12:20:54 | 000,000,000 | ---- | C] () -- F:\WINDOWS\ViewNX.INI
[2010/11/10 18:53:10 | 000,000,000 | ---- | C] () -- F:\WINDOWS\ViewNX2.INI
[2010/11/10 12:42:02 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\All Users\Application Data\Sampler
[2010/11/10 12:42:02 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\Alan\Application Data\Rock
[2010/11/10 12:42:02 | 000,000,020 | -H-- | C] () -- F:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2010/11/09 22:05:33 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\All Users\Application Data\Services
[2010/11/09 22:05:33 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\All Users\Application Data\Scripts Menu
[2010/11/09 22:05:33 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\Alan\Application Data\Sci-Fi
[2010/11/09 22:05:33 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\Alan\Application Data\Sampler Instruments
[2010/11/09 22:05:33 | 000,000,020 | -H-- | C] () -- F:\Documents and Settings\All Users\Application Data\PKP_DLev.DAT
[2010/11/09 22:05:33 | 000,000,020 | -H-- | C] () -- F:\Documents and Settings\All Users\Application Data\PKP_DLes.DAT
[2010/11/09 22:05:32 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\All Users\Application Data\Screen Savers
[2010/11/09 22:05:32 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\Alan\Application Data\Sampler Files
[2010/11/09 22:05:32 | 000,000,020 | -H-- | C] () -- F:\Documents and Settings\All Users\Application Data\PKP_DLet.DAT
[2010/11/09 19:47:42 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\All Users\Application Data\Rule Actions
[2010/11/09 19:47:42 | 000,000,268 | RH-- | C] () -- F:\Documents and Settings\Alan\Application Data\Reverb
[2010/11/09 19:47:42 | 000,000,020 | -H-- | C] () -- F:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2010/11/07 12:54:53 | 000,007,680 | ---- | C] () -- F:\Documents and Settings\Alan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/06 12:18:31 | 000,000,054 | ---- | C] () -- F:\WINDOWS\CmdFile.INI
[2010/11/01 13:20:14 | 000,000,376 | ---- | C] () -- F:\WINDOWS\ODBC.INI
[2010/10/27 14:32:24 | 000,000,191 | ---- | C] () -- F:\WINDOWS\PowerReg.dat
[2010/10/26 18:41:45 | 000,000,078 | ---- | C] () -- F:\WINDOWS\qwimp.ini
[2010/10/26 18:41:44 | 000,000,510 | ---- | C] () -- F:\WINDOWS\intuprof.ini
[2010/10/26 18:39:55 | 000,001,425 | ---- | C] () -- F:\WINDOWS\QUICKEN.INI
[2010/10/26 17:42:28 | 000,000,952 | -HS- | C] () -- F:\WINDOWS\System32\KGyGaAvL.sys
[2010/10/26 15:58:08 | 000,232,968 | ---- | C] () -- F:\WINDOWS\System32\nvdrsdb0.bin
[2010/10/26 15:58:05 | 000,232,968 | ---- | C] () -- F:\WINDOWS\System32\nvdrsdb1.bin
[2010/10/26 15:58:05 | 000,000,001 | ---- | C] () -- F:\WINDOWS\System32\nvdrssel.bin
[2010/10/25 21:49:09 | 000,000,664 | ---- | C] () -- F:\WINDOWS\System32\d3d9caps.dat
[2010/10/25 19:35:42 | 000,000,000 | ---- | C] () -- F:\WINDOWS\nsreg.dat
[2010/10/25 15:52:23 | 000,002,048 | --S- | C] () -- F:\WINDOWS\bootstat.dat
[2010/10/25 15:48:01 | 000,021,640 | ---- | C] () -- F:\WINDOWS\System32\emptyregdb.dat
[2010/10/25 11:28:41 | 000,004,161 | ---- | C] () -- F:\WINDOWS\ODBCINST.INI
[2010/10/25 11:27:36 | 000,243,128 | ---- | C] () -- F:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/10 05:38:00 | 002,195,030 | ---- | C] () -- F:\WINDOWS\System32\nvdata.bin
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- F:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- F:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,392,626 | ---- | C] () -- F:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- F:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- F:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,058,800 | ---- | C] () -- F:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- F:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- F:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,027,440 | ---- | C] () -- F:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- F:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,461 | ---- | C] () -- F:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,788 | ---- | C] () -- F:\WINDOWS\System32\Dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- F:\WINDOWS\System32\noise.dat
[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- F:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 04:00:00 | 000,040,448 | ---- | C] () -- F:\WINDOWS\System32\REGOBJ.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 233 bytes -> F:\Documents and Settings\All Users\Application Data\TEMP:0FF263E8
@Alternate Data Stream - 140 bytes -> F:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >


OTL Extras logfile created on: 3/22/2011 12:39:17 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = F:\Documents and Settings\Alan\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 56.00% Memory free
5.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): F:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\WINDOWS | %ProgramFiles% = F:\Program Files
Drive C: | 931.51 Gb Total Space | 661.73 Gb Free Space | 71.04% Space Free | Partition Type: NTFS
Drive F: | 298.08 Gb Total Space | 283.41 Gb Free Space | 95.08% Space Free | Partition Type: NTFS
Drive G: | 111.79 Gb Total Space | 0.14 Gb Free Space | 0.13% Space Free | Partition Type: NTFS

Computer Name: DAD | User Name: Alan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-2025429265-2077806209-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"F:\Program Files\Retrospect\Retrospect 7.7\Retrospect.exe" = F:\Program Files\Retrospect\Retrospect 7.7\Retrospect.exe:*:Enabled:Retrospect -- (Sonic Solutions)
"F:\WINDOWS\system32\mmc.exe" = F:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX870_series" = Canon MX870 series MP Drivers
"{15C77FC3-8137-4A5E-8F81-F559045DD6B0}" = Shipping Assistant 3.7
"{1A15507A-8551-4626-915D-3D5FA095CC1B}" = Corel Paint Shop Pro X
"{1FD35451-F1E2-4D19-8C7E-DFAE65F9D7BF}" = Retrospect 7.7
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EC91FDF-FE9A-43D5-96C4-8A9C24372500}" = Maxtor OneTouch
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A5A427F-BA39-4BF0-9999-9A47FBE60C9F}" = Visual C++ 9.0 Runtime for Dragon NaturallySpeaking
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}" = Easy CD & DVD Creator 6
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro Internet Security Pro
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{8927E07C-97F7-4A54-88FB-D976F50DD46E}" = Turbo Lister 2
"{90AACECD-1E42-4D22-ABAD-7FB9B67B262D}" = H&R Block Premium + Efile + State 2009
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D2B0322-44AE-460E-9283-4D2D7A9205AE}" = Trend Micro Internet Security Pro
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{B014EE44-9197-4513-9613-71E6EB1B514E}" = Nikon Message Center 2
"{BA0F44C2-A883-11D1-AD0A-006097D15E2C}" = Palm Desktop
"{D1E7142C-6BC3-49EB-A71A-E5D7ADAC7599}" = Nikon File Uploader 2
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{DDD62492-32A7-412B-8AF1-2CF032AD42E3}" = ViewNX 2
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EFFA53BC-8C04-2E21-3D90-A13B1697B0CA}" = Dragon NaturallySpeaking 11
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AnyDVD" = AnyDVD
"Art-Monet Screensaver" = Art-Monet Screensaver
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCH Small Firm Services (xulRunner)" = CCH Small Firm Services (xulRunner)
"H&R Block Business 2009" = H&R Block Business 2009 (Remove Only)
"H&R Block Business 2010" = H&R Block Business 2010 (Remove Only)
"ie8" = Windows Internet Explorer 8
"InstallShield_{3EC91FDF-FE9A-43D5-96C4-8A9C24372500}" = Maxtor OneTouch
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"Mozilla Thunderbird (3.1.9)" = Mozilla Thunderbird (3.1.9)
"MP Navigator EX 3.1" = Canon MP Navigator EX 3.1
"MXOFX" = USB Storage Adapter FX (MXO)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Registry Mechanic_is1" = Registry Mechanic 10.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2025429265-2077806209-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ETHERCD_UNINST_KEY" = Fast EtherLink XL and EtherLink XL PCI NIC User Guide
"PocketMirror" = PocketMirror 3.0.2 (Standard Edition)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/10/2011 2:59:25 PM | Computer Name = DAD | Source = MsiInstaller | ID = 11706
Description = Product: Corel Paint Shop Pro X -- Error 1706.No valid source could
be found for product Corel Paint Shop Pro X. The Windows Installer cannot continue.

Error - 3/10/2011 2:59:38 PM | Computer Name = DAD | Source = MsiInstaller | ID = 11706
Description = Product: Corel Paint Shop Pro X -- Error 1706.No valid source could
be found for product Corel Paint Shop Pro X. The Windows Installer cannot continue.

Error - 3/10/2011 2:59:43 PM | Computer Name = DAD | Source = MsiInstaller | ID = 11706
Description = Product: Corel Paint Shop Pro X -- Error 1706.No valid source could
be found for product Corel Paint Shop Pro X. The Windows Installer cannot continue.

Error - 3/10/2011 2:59:56 PM | Computer Name = DAD | Source = MsiInstaller | ID = 11706
Description = Product: Corel Paint Shop Pro X -- Error 1706.No valid source could
be found for product Corel Paint Shop Pro X. The Windows Installer cannot continue.

Error - 3/10/2011 3:00:02 PM | Computer Name = DAD | Source = MsiInstaller | ID = 11706
Description = Product: Corel Paint Shop Pro X -- Error 1706.No valid source could
be found for product Corel Paint Shop Pro X. The Windows Installer cannot continue.

Error - 3/10/2011 3:00:23 PM | Computer Name = DAD | Source = MsiInstaller | ID = 11706
Description = Product: Corel Paint Shop Pro X -- Error 1706.No valid source could
be found for product Corel Paint Shop Pro X. The Windows Installer cannot continue.

Error - 3/14/2011 6:08:29 PM | Computer Name = DAD | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.4079, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x0000e7a2.

Error - 3/19/2011 1:15:49 PM | Computer Name = DAD | Source = MsiInstaller | ID = 11706
Description = Product: Corel Paint Shop Pro X -- Error 1706.No valid source could
be found for product Corel Paint Shop Pro X. The Windows Installer cannot continue.

Error - 3/19/2011 1:15:57 PM | Computer Name = DAD | Source = MsiInstaller | ID = 11706
Description = Product: Corel Paint Shop Pro X -- Error 1706.No valid source could
be found for product Corel Paint Shop Pro X. The Windows Installer cannot continue.

Error - 3/19/2011 1:16:03 PM | Computer Name = DAD | Source = MsiInstaller | ID = 11706
Description = Product: Corel Paint Shop Pro X -- Error 1706.No valid source could
be found for product Corel Paint Shop Pro X. The Windows Installer cannot continue.

[ System Events ]
Error - 12/22/2010 3:14:48 AM | Computer Name = DAD | Source = DCOM | ID = 10010
Description = The server {DD100006-6205-11CF-AE61-0000E8A28647} did not register
with DCOM within the required timeout.

Error - 1/17/2011 5:19:22 AM | Computer Name = DAD | Source = DCOM | ID = 10010
Description = The server {548E275F-0290-40E7-B454-738B0C61DE60} did not register
with DCOM within the required timeout.

Error - 1/24/2011 11:15:51 AM | Computer Name = DAD | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 1/26/2011 6:59:34 PM | Computer Name = DAD | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.102 for the Network Card with network
address 000C764EEDC7 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/26/2011 6:59:39 PM | Computer Name = DAD | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/26/2011 6:59:39 PM | Computer Name = DAD | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 2/1/2011 3:04:45 PM | Computer Name = DAD | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 2/1/2011 3:50:23 PM | Computer Name = DAD | Source = Service Control Manager | ID = 7034
Description = The Trend Micro Solution Platform service terminated unexpectedly.
It has done this 1 time(s).

Error - 2/2/2011 3:01:08 AM | Computer Name = DAD | Source = DCOM | ID = 10010
Description = The server {DD100006-6205-11CF-AE61-0000E8A28647} did not register
with DCOM within the required timeout.

Error - 2/4/2011 12:45:15 PM | Computer Name = DAD | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Thank you fore your help

Alan

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:56 PM

Posted 23 March 2011 - 07:51 AM

Hi-

MBAM didn't turn up much.

Let's check your router.


Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

Click on File->Save As. For File Name, enter Router.bat . For Save As Type, select All Files. Save it to your desktop.

Double-click on Router.bat to run it. When finished, it will open a report in Notepad. Please copy that report into your reply. Do not attach it.

Shannon

#8 AAS

AAS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 23 March 2011 - 08:26 AM

Here it is:



Windows IP Configuration



Host Name . . . . . . . . . . . . : dad

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NVIDIA nForce Networking Controller

Physical Address. . . . . . . . . : 00-0C-76-4E-ED-C7

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 71.242.0.12

71.252.0.12

Lease Obtained. . . . . . . . . . : Wednesday, March 23, 2011 2:15:19 AM

Lease Expires . . . . . . . . . . : Thursday, March 24, 2011 2:15:19 AM

Server: nsphil01.verizon.net
Address: 71.242.0.12

Name: google.com
Addresses: 72.14.204.99, 72.14.204.103, 72.14.204.147, 72.14.204.104

Server: nsphil01.verizon.net
Address: 71.242.0.12

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 69.147.125.65, 72.30.2.43
98.137.149.56



Pinging google.com [72.14.204.104] with 32 bytes of data:



Reply from 72.14.204.104: bytes=32 time=33ms TTL=54

Reply from 72.14.204.104: bytes=32 time=33ms TTL=54



Ping statistics for 72.14.204.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 33ms, Maximum = 33ms, Average = 33ms



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=109ms TTL=55

Reply from 72.30.2.43: bytes=32 time=99ms TTL=55



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 99ms, Maximum = 109ms, Average = 104ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 76 4e ed c7 ...... NVIDIA nForce Networking Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.101 192.168.1.101 1
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 20
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 20
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 20
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None


Thanks

Alan

#9 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:56 PM

Posted 23 March 2011 - 08:57 AM

Hi-

The router check didn't show any problems. Have to dig deeper.

First, please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.21.0) from Kaspersky's website.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. C:\TDSSKiller.2.4.21_23.07.2010_15.31.43_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
Next, please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.

In your reply, copy in the TDSSKiller and the MBRCheck reports.
Shannon

#10 AAS

AAS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 23 March 2011 - 09:15 AM

The Kaspersky routine did not find anything but the MBR did flag several items:

2011/03/23 10:07:00.0375 4240 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/23 10:07:00.0593 4240 ================================================================================
2011/03/23 10:07:00.0593 4240 SystemInfo:
2011/03/23 10:07:00.0593 4240
2011/03/23 10:07:00.0593 4240 OS Version: 5.1.2600 ServicePack: 2.0
2011/03/23 10:07:00.0593 4240 Product type: Workstation
2011/03/23 10:07:00.0593 4240 ComputerName: DAD
2011/03/23 10:07:00.0593 4240 UserName: Alan
2011/03/23 10:07:00.0593 4240 Windows directory: F:\WINDOWS
2011/03/23 10:07:00.0593 4240 System windows directory: F:\WINDOWS
2011/03/23 10:07:00.0593 4240 Processor architecture: Intel x86
2011/03/23 10:07:00.0593 4240 Number of processors: 1
2011/03/23 10:07:00.0593 4240 Page size: 0x1000
2011/03/23 10:07:00.0593 4240 Boot type: Normal boot
2011/03/23 10:07:00.0593 4240 ================================================================================
2011/03/23 10:07:06.0109 4240 Initialize success
2011/03/23 10:07:16.0250 5812 ================================================================================
2011/03/23 10:07:16.0250 5812 Scan started
2011/03/23 10:07:16.0250 5812 Mode: Manual;
2011/03/23 10:07:16.0250 5812 ================================================================================
2011/03/23 10:07:16.0609 5812 ACPI (a10c7534f7223f4a73a948967d00e69b) F:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/23 10:07:16.0687 5812 ACPIEC (9859c0f6936e723e4892d7141b1327d5) F:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/23 10:07:16.0765 5812 aec (841f385c6cfaf66b58fbd898722bb4f0) F:\WINDOWS\system32\drivers\aec.sys
2011/03/23 10:07:16.0812 5812 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) F:\WINDOWS\System32\drivers\afd.sys
2011/03/23 10:07:16.0968 5812 AnyDVD (40c279a23bd43553bfba6e88a9b38ae2) F:\WINDOWS\system32\Drivers\AnyDVD.sys
2011/03/23 10:07:17.0000 5812 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) F:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/03/23 10:07:17.0109 5812 Aspi32 (b979979ab8027f7f53fb16ec4229b7db) F:\WINDOWS\system32\drivers\Aspi32.sys
2011/03/23 10:07:17.0156 5812 AsyncMac (02000abf34af4c218c35d257024807d6) F:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/23 10:07:17.0203 5812 atapi (cdfe4411a69c224bd1d11b2da92dac51) F:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/23 10:07:17.0234 5812 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) F:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/23 10:07:17.0312 5812 audstub (d9f724aa26c010a217c97606b160ed68) F:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/23 10:07:17.0343 5812 Beep (da1f27d85e0d1525f6621372e7b685e9) F:\WINDOWS\system32\drivers\Beep.sys
2011/03/23 10:07:17.0390 5812 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) F:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/23 10:07:17.0453 5812 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) F:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/23 10:07:17.0484 5812 Cdaudio (c1b486a7658353d33a10cc15211a873b) F:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/23 10:07:17.0500 5812 Cdfs (cd7d5152df32b47f4e36f710b35aae02) F:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/23 10:07:17.0578 5812 Cdr4_xp (fc0bf5df85f8bb38cb678976259e57d2) F:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/03/23 10:07:17.0656 5812 Cdralw2k (ee162ca67a1158b56f6009efd252642c) F:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/03/23 10:07:17.0734 5812 Cdrom (af9c19b3100fe010496b1a27181fbf72) F:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/23 10:07:17.0765 5812 cdudf_xp (a27bc139a443bf4df61a7535533927cc) F:\WINDOWS\system32\drivers\cdudf_xp.sys
2011/03/23 10:07:17.0968 5812 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) F:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/03/23 10:07:18.0171 5812 Disk (00ca44e4534865f8a3b64f7c0984bff0) F:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/23 10:07:18.0265 5812 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) F:\WINDOWS\system32\drivers\dmboot.sys
2011/03/23 10:07:18.0343 5812 dmio (f5e7b358a732d09f4bcf2824b88b9e28) F:\WINDOWS\system32\drivers\dmio.sys
2011/03/23 10:07:18.0406 5812 dmload (e9317282a63ca4d188c0df5e09c6ac5f) F:\WINDOWS\system32\drivers\dmload.sys
2011/03/23 10:07:18.0453 5812 DMusic (a6f881284ac1150e37d9ae47ff601267) F:\WINDOWS\system32\drivers\DMusic.sys
2011/03/23 10:07:18.0515 5812 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) F:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/23 10:07:18.0562 5812 DVDVRRdr_xp (879de97d532186cdbe749a7acd508cf0) F:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
2011/03/23 10:07:18.0640 5812 dvd_2K (6da1951e3de986f1080e6852846df0fb) F:\WINDOWS\system32\drivers\dvd_2K.sys
2011/03/23 10:07:18.0750 5812 ElbyCDIO (d71233d7ccc2e64f8715a20428d5a33b) F:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/03/23 10:07:18.0812 5812 Fastfat (3117f595e9615e04f05a54fc15a03b20) F:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/23 10:07:18.0875 5812 Fdc (ced2e8396a8838e59d8fd529c680e02c) F:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/23 10:07:18.0906 5812 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) F:\WINDOWS\system32\drivers\Fips.sys
2011/03/23 10:07:18.0937 5812 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) F:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/23 10:07:19.0000 5812 FltMgr (157754f0df355a9e0a6f54721914f9c6) F:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/23 10:07:19.0031 5812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) F:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/23 10:07:19.0062 5812 Ftdisk (6ac26732762483366c3969c9e4d2259d) F:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/23 10:07:19.0093 5812 Gpc (c0f1d4a21de5a415df8170616703debf) F:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/23 10:07:19.0171 5812 HidBatt (13c0d55da4b7148ef980e130b85d9f2c) F:\WINDOWS\system32\DRIVERS\HidBatt.sys
2011/03/23 10:07:19.0218 5812 hidusb (1de6783b918f540149aa69943bdfeba8) F:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/23 10:07:19.0265 5812 HTTP (c19b522a9ae0bbc3293397f3055e80a1) F:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/23 10:07:19.0359 5812 i8042prt (5502b58eef7486ee6f93f3f164dcb808) F:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/23 10:07:19.0406 5812 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) F:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/23 10:07:19.0500 5812 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) F:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/23 10:07:19.0531 5812 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) F:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/23 10:07:19.0562 5812 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) F:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/23 10:07:19.0625 5812 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) F:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/23 10:07:19.0656 5812 IPSec (64537aa5c003a6afeee1df819062d0d1) F:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/23 10:07:19.0718 5812 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) F:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/23 10:07:19.0765 5812 isapnp (e504f706ccb699c2596e9a3da1596e87) F:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/23 10:07:19.0812 5812 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) F:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/23 10:07:19.0875 5812 kmixer (d93cad07c5683db066b0b2d2d3790ead) F:\WINDOWS\system32\drivers\kmixer.sys
2011/03/23 10:07:19.0890 5812 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) F:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/23 10:07:20.0000 5812 mmc_2K (8095d2e05301aa131d966492546f1e1c) F:\WINDOWS\system32\drivers\mmc_2K.sys
2011/03/23 10:07:20.0046 5812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) F:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/23 10:07:20.0078 5812 Modem (6fc6f9d7acc36dca9b914565a3aeda05) F:\WINDOWS\system32\drivers\Modem.sys
2011/03/23 10:07:20.0125 5812 Mouclass (34e1f0031153e491910e12551400192c) F:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/23 10:07:20.0171 5812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) F:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/23 10:07:20.0203 5812 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) F:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/23 10:07:20.0265 5812 MRxDAV (46edcc8f2db2f322c24f48785cb46366) F:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/23 10:07:20.0312 5812 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) F:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/23 10:07:20.0390 5812 Msfs (561b3a4333ca2dbdba28b5b956822519) F:\WINDOWS\system32\drivers\Msfs.sys
2011/03/23 10:07:20.0437 5812 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) F:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/23 10:07:20.0468 5812 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) F:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/23 10:07:20.0515 5812 MSPQM (1988a33ff19242576c3d0ef9ce785da7) F:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/23 10:07:20.0546 5812 mssmbios (469541f8bfd2b32659d5d463a6714bce) F:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/23 10:07:20.0593 5812 MSTEE (bf13612142995096ab084f2db7f40f77) F:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/23 10:07:20.0640 5812 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) F:\WINDOWS\system32\drivers\Mup.sys
2011/03/23 10:07:20.0703 5812 MXOFX (799a99d21e72023ee5adb28ae424efc8) F:\WINDOWS\system32\DRIVERS\MXOFX.SYS
2011/03/23 10:07:20.0765 5812 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) F:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/23 10:07:20.0828 5812 NDIS (558635d3af1c7546d26067d5d9b6959e) F:\WINDOWS\system32\drivers\NDIS.sys
2011/03/23 10:07:20.0875 5812 NdisIP (520ce427a8b298f54112857bcf6bde15) F:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/23 10:07:20.0921 5812 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) F:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/23 10:07:20.0953 5812 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) F:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/23 10:07:20.0984 5812 NdisWan (0b90e255a9490166ab368cd55a529893) F:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/23 10:07:21.0031 5812 NDProxy (59fc3fb44d2669bc144fd87826bb571f) F:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/23 10:07:21.0062 5812 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) F:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/23 10:07:21.0093 5812 NetBT (0c80e410cd2f47134407ee7dd19cc86b) F:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/23 10:07:21.0156 5812 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) F:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/03/23 10:07:21.0187 5812 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) F:\WINDOWS\system32\drivers\Npfs.sys
2011/03/23 10:07:21.0234 5812 Ntfs (b78be402c3f63dd55521f73876951cdd) F:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/23 10:07:21.0250 5812 Null (73c1e1f395918bc2c6dd67af7591a3ad) F:\WINDOWS\system32\drivers\Null.sys
2011/03/23 10:07:21.0500 5812 nv (ed9816dbaf6689542ea7d022631906a1) F:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/23 10:07:21.0750 5812 NVENETFD (720cc533eecb65553bd86b139ca04433) F:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/03/23 10:07:21.0796 5812 nvnetbus (5f9f545cc5904dd8765f84ee1d056406) F:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/03/23 10:07:21.0859 5812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) F:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/23 10:07:21.0875 5812 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) F:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/23 10:07:21.0937 5812 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) F:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/03/23 10:07:22.0000 5812 PalmUSBD (89a9fe2a3b732c806ca2a61430ceefe2) F:\WINDOWS\system32\drivers\PalmUSBD.sys
2011/03/23 10:07:22.0046 5812 Parport (29744eb4ce659dfe3b4122deb45bc478) F:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/23 10:07:22.0078 5812 PartMgr (3334430c29dc338092f79c38ef7b4cd0) F:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/23 10:07:22.0140 5812 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) F:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/23 10:07:22.0171 5812 PCI (8086d9979234b603ad5bc2f5d890b234) F:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/23 10:07:22.0218 5812 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) F:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/23 10:07:22.0265 5812 Pcmcia (82a087207decec8456fbe8537947d579) F:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/23 10:07:22.0437 5812 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) F:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/23 10:07:22.0484 5812 Processor (0d97d88720a4087ec93af7dbb303b30a) F:\WINDOWS\system32\DRIVERS\processr.sys
2011/03/23 10:07:22.0515 5812 PSched (48671f327553dcf1d27f6197f622a668) F:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/23 10:07:22.0546 5812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) F:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/23 10:07:22.0625 5812 pwd_2k (ebae372d36658e2bcb6a347bb78c5144) F:\WINDOWS\system32\drivers\pwd_2k.sys
2011/03/23 10:07:22.0734 5812 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) F:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/23 10:07:22.0796 5812 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) F:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/23 10:07:22.0828 5812 RasPppoe (7306eeed8895454cbed4669be9f79faa) F:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/23 10:07:22.0859 5812 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) F:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/23 10:07:22.0906 5812 Rdbss (29d66245adba878fff574cd66abd2884) F:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/23 10:07:22.0937 5812 RDPCDD (4912d5b403614ce99c28420f75353332) F:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/23 10:07:22.0984 5812 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) F:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/23 10:07:23.0046 5812 RDPWD (d4f5643d7714ef499ae9527fdcd50894) F:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/23 10:07:23.0078 5812 redbook (b31b4588e4086d8d84adbf9845c2402b) F:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/23 10:07:23.0281 5812 Secdrv (d26e26ea516450af9d072635c60387f4) F:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/23 10:07:23.0390 5812 serenum (a2d868aeeff612e70e213c451a70cafb) F:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/23 10:07:23.0437 5812 Serial (cd9404d115a00d249f70a371b46d5a26) F:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/23 10:07:23.0468 5812 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) F:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/23 10:07:23.0546 5812 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) F:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/23 10:07:23.0593 5812 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) F:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/03/23 10:07:23.0640 5812 splitter (8e186b8f23295d1e42c573b82b80d548) F:\WINDOWS\system32\drivers\splitter.sys
2011/03/23 10:07:23.0703 5812 sr (e41b6d037d6cd08461470af04500dc24) F:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/23 10:07:23.0765 5812 Srv (20b7e396720353e4117d64d9dcb926ca) F:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/23 10:07:23.0859 5812 streamip (284c57df5dc7abca656bc2b96a667afb) F:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/23 10:07:23.0906 5812 swenum (03c1bae4766e2450219d20b993d6e046) F:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/23 10:07:23.0937 5812 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) F:\WINDOWS\system32\drivers\swmidi.sys
2011/03/23 10:07:24.0078 5812 sysaudio (650ad082d46bac0e64c9c0e0928492fd) F:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/23 10:07:24.0125 5812 Tcpip (9f4b36614a0fc234525ba224957de55c) F:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/23 10:07:24.0187 5812 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) F:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/23 10:07:24.0234 5812 TDTCP (ed0580af02502d00ad8c4c066b156be9) F:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/23 10:07:24.0281 5812 TermDD (a540a99c281d933f3d69d55e48727f47) F:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/23 10:07:24.0359 5812 tmactmon (ca9e9c2c04a198ed345c1752222a5f3e) F:\WINDOWS\system32\drivers\tmactmon.sys
2011/03/23 10:07:24.0453 5812 tmcfw (fcfa40e475ff5549f5cd335f4046aba4) F:\WINDOWS\system32\DRIVERS\TM_CFW.sys
2011/03/23 10:07:24.0562 5812 tmcomm (a3d20789b3ff0576a29462bef25bcfcc) F:\WINDOWS\system32\drivers\tmcomm.sys
2011/03/23 10:07:24.0609 5812 tmevtmgr (21f215e54770c4bf93efaf63f58fe57e) F:\WINDOWS\system32\drivers\tmevtmgr.sys
2011/03/23 10:07:24.0671 5812 tmpreflt (9cbbe54780770fdb7aaa73be530e4d80) F:\WINDOWS\system32\DRIVERS\tmpreflt.sys
2011/03/23 10:07:24.0734 5812 tmtdi (44c262c1b2412ded35078b6166d2acc2) F:\WINDOWS\system32\DRIVERS\tmtdi.sys
2011/03/23 10:07:24.0796 5812 tmxpflt (6cc393305bd60056ca09a4c8032a169a) F:\WINDOWS\system32\DRIVERS\tmxpflt.sys
2011/03/23 10:07:24.0890 5812 UdfReadr_xp (91bfde97fc50ee92158f9106e4e00b6b) F:\WINDOWS\system32\drivers\UdfReadr_xp.sys
2011/03/23 10:07:25.0031 5812 Udfs (12f70256f140cd7d52c58c7048fde657) F:\WINDOWS\system32\drivers\Udfs.sys
2011/03/23 10:07:25.0078 5812 Update (aff2e5045961bbc0a602bb6f95eb1345) F:\WINDOWS\system32\DRIVERS\update.sys
2011/03/23 10:07:25.0156 5812 usbaudio (45a0d14b26c35497ad93bce7e15c9941) F:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/23 10:07:25.0234 5812 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) F:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/23 10:07:25.0281 5812 usbehci (15e993ba2f6946b2bfbbfcd30398621e) F:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/23 10:07:25.0359 5812 usbhub (c72f40947f92cea56a8fb532edf025f1) F:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/23 10:07:25.0453 5812 usbohci (bdfe799a8531bad8a5a985821fe78760) F:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/03/23 10:07:25.0546 5812 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) F:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/23 10:07:25.0625 5812 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) F:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/23 10:07:25.0671 5812 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/23 10:07:25.0765 5812 usbvideo (8968ff3973a883c49e8b564200f565b9) F:\WINDOWS\system32\Drivers\usbvideo.sys
2011/03/23 10:07:25.0812 5812 VgaSave (8a60edd72b4ea5aea8202daf0e427925) F:\WINDOWS\System32\drivers\vga.sys
2011/03/23 10:07:25.0890 5812 VolSnap (ee4660083deba849ff6c485d944b379b) F:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/23 10:07:26.0015 5812 vsapint (bbdd84ca629c1f7c8172b4405867f196) F:\WINDOWS\system32\DRIVERS\vsapint.sys
2011/03/23 10:07:26.0171 5812 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) F:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/23 10:07:26.0265 5812 wdmaud (2797f33ebf50466020c430ee4f037933) F:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/23 10:07:26.0359 5812 WSTCODEC (d5842484f05e12121c511aa93f6439ec) F:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/23 10:07:26.0796 5812 ================================================================================
2011/03/23 10:07:26.0796 5812 Scan finished
2011/03/23 10:07:26.0796 5812 ================================================================================




MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000007c

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806CE000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB80B8000 ohci1394.sys
0xB80C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB84BC000 compbatt.sys
0xB84C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB80F8000 disk.sys
0xB8108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EEC000 fltMgr.sys
0xB7EDA000 sr.sys
0xB7EC3000 KSecDD.sys
0xB7E36000 Ntfs.sys
0xB7E09000 NDIS.sys
0xB7DEE000 Mup.sys
0xB8178000 \SystemRoot\system32\DRIVERS\processr.sys
0xB8378000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB7D6D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8380000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8188000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB7D54000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xB7D43000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xB8198000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB81A8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7D20000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8390000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xB7D03000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xB81B8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB8550000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB7CC3000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB7C90000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xB7273000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB725F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB83A8000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB81C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8554000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB724B000 \SystemRoot\system32\DRIVERS\parport.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB83B0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB875A000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB8558000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7234000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8208000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB83B8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7223000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8218000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB83C0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB83C8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB71CA000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8228000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB83D0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB85B4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB70F6000 \SystemRoot\system32\DRIVERS\update.sys
0xB8574000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB6F3E000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xB83E0000 \SystemRoot\System32\Drivers\dvd_2K.SYS
0xB83F0000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xB8258000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB8268000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85BA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB8278000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xB85BE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB87BC000 \SystemRoot\System32\Drivers\Null.SYS
0xB85C0000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8418000 \SystemRoot\System32\drivers\vga.sys
0xB85C2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85C4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB4D1E000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xB4CE8000 \SystemRoot\System32\Drivers\DVDVRRdr_xp.SYS
0xB8428000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8430000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB4C79000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xB6F3A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB4C54000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB4BFC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB4BD4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB4BB2000 \SystemRoot\System32\drivers\afd.sys
0xB82D8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB4B9D000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xB4B7C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB82E8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB4B50000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB4AB9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB82F8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB8308000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB8318000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xB8480000 \SystemRoot\system32\DRIVERS\MXOFX.SYS
0xB84A8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB84B0000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB49DD000 \SystemRoot\System32\Drivers\usbvideo.sys
0xB71AA000 \SystemRoot\system32\drivers\usbaudio.sys
0xB719A000 \SystemRoot\system32\drivers\drmk.sys
0xB6EC9000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB718A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB8388000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB6EC1000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB8398000 \SystemRoot\system32\DRIVERS\HidBatt.sys
0xB49C5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB85E0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB83A0000 \SystemRoot\System32\watchdog.sys
0xB4CBA000 \SystemRoot\System32\drivers\Dxapi.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB87DE000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xB715A000 \SystemRoot\system32\DRIVERS\tmpreflt.sys
0xB44A1000 \SystemRoot\system32\DRIVERS\vsapint.sys
0xB4455000 \SystemRoot\system32\DRIVERS\tmxpflt.sys
0xB45FD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB4120000 \SystemRoot\system32\drivers\wdmaud.sys
0xB42BD000 \SystemRoot\system32\drivers\sysaudio.sys
0xB4165000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB3EC2000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB85B0000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB3E95000 \??\F:\WINDOWS\system32\drivers\tmcomm.sys
0xB3EF7000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xB3C62000 \SystemRoot\system32\DRIVERS\srv.sys
0xB39F1000 \SystemRoot\System32\Drivers\HTTP.sys
0xB3981000 \??\F:\WINDOWS\system32\drivers\tmevtmgr.sys
0xB35F3000 \??\F:\WINDOWS\system32\drivers\tmactmon.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB2D8E000 \??\F:\DOCUME~1\Alan\LOCALS~1\Temp\mbr.sys
0xB22BF000 \??\F:\DOCUME~1\Alan\LOCALS~1\Temp\pxtdapow.sys
0xB1C61000 \SystemRoot\system32\drivers\kmixer.sys
0xB1C4F000 \SystemRoot\system32\drivers\klmd.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 57):
0 System Idle Process
4 System
892 F:\WINDOWS\system32\smss.exe
1036 csrss.exe
1064 F:\WINDOWS\system32\winlogon.exe
1108 F:\WINDOWS\system32\services.exe
1120 F:\WINDOWS\system32\lsass.exe
1324 F:\WINDOWS\system32\nvsvc32.exe
1396 F:\WINDOWS\system32\svchost.exe
1440 svchost.exe
1564 F:\WINDOWS\system32\svchost.exe
1644 svchost.exe
1864 svchost.exe
196 F:\WINDOWS\explorer.exe
288 F:\WINDOWS\system32\spoolsv.exe
360 F:\WINDOWS\system32\rundll32.exe
584 F:\Program Files\Common Files\Java\Java Update\jusched.exe
592 F:\WINDOWS\MXOALDR.EXE
616 F:\WINDOWS\system32\rundll32.exe
636 F:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
808 F:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
880 F:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
940 F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
952 F:\WINDOWS\system32\ctfmon.exe
992 F:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
1016 F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
1512 F:\Palm\HOTSYNC.EXE
1540 F:\Program Files\Common Files\Nuance\dgnsvc.exe
1708 F:\Program Files\Java\jre6\bin\jqs.exe
1732 F:\Program Files\Microsoft Office\Office\1033\MSOFFICE.EXE
1780 F:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
2008 F:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe
388 F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
1352 F:\WINDOWS\system32\svchost.exe
464 F:\WINDOWS\system32\MsPMSPSv.exe
2424 alg.exe
2996 F:\WINDOWS\system32\svchost.exe
3164 F:\Program Files\Trend Micro\Internet Security\TmProxy.exe
3172 F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
3248 F:\Program Files\Trend Micro\Internet Security\TmPfw.exe
1892 F:\Program Files\Trend Micro\BM\TMBMSRV.exe
2876 F:\Program Files\Mozilla Firefox\firefox.exe
4088 F:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
3604 F:\Program Files\Trend Micro\TrendSecure\TISProToolbar\platformdependent\ProToolbarComm.exe
2968 F:\Program Files\Common Files\Java\Java Update\jucheck.exe
3924 F:\WINDOWS\system32\wuauclt.exe
3884 F:\Program Files\Mozilla Thunderbird\thunderbird.exe
3484 F:\Program Files\Mozilla Firefox\plugin-container.exe
2776 F:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
2708 F:\Program Files\Trend Micro\Internet Security\TMAS_OL\TMAS_OL.exe
3764 F:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\agent.exe
4044 F:\Program Files\Quicken\qw.exe
1560 F:\Program Files\Corel\Corel Paint Shop Pro X\Paint Shop Pro X.exe
1556 F:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
4488 F:\WINDOWS\system32\notepad.exe
1704 F:\TEMP\TDskiller\TDSSKiller.exe
5908 F:\Documents and Settings\Alan\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive1 Model Number: WDCWD1001FALS-75J7B0, Rev: 05.00K05
PhysicalDrive0 Model Number: WDCWD3200AAKS-00UU3A0, Rev: 01.03B01
PhysicalDrive2 Model Number: MaxtorOneTouch, Rev: 0201

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
114 GB \\.\PhysicalDrive2 Unknown MBR code
SHA1: AC7F2D4B4E6D4785255BA8207A7D983068D87205


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Thanks

Alan

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:56 PM

Posted 23 March 2011 - 11:45 AM

Hi-

Both of those scans came up clean. MBRCheck did see that the G: drive did not have a standard XP MBR which is not unusual for pre-formatted non-system drives.

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, please copy in the ComboFix report and let me know how your computer is doing.
Shannon

#12 AAS

AAS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 23 March 2011 - 12:47 PM

Shannon:

Followed instructions - seemed to run as expected - here is the log file:

ComboFix 11-03-22.09 - Alan 03/23/2011 13:37:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2815.2141 [GMT -4:00]
Running from: f:\documents and settings\Alan\My Documents\Downloads\ComboFix.exe
AV: Trend Micro Internet Security Pro *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
f:\documents and settings\All Users\Application Data\Services
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-20 21:07 . 2011-03-21 13:31 301568 ----a-w- f:\temp\gmer.exe
2011-03-16 14:52 . 2011-03-16 14:52 388096 ----a-r- f:\documents and settings\Alan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-15 19:39 . 2011-03-15 19:40 -------- d-----w- f:\documents and settings\Alan\.unlimitedftp
2011-03-15 01:18 . 2011-03-15 01:18 -------- d-----w- f:\documents and settings\Alan\Application Data\MozillaControl
2011-03-15 01:10 . 2011-03-15 01:23 -------- d-----w- f:\program files\H&R Block Business 2010
2011-03-10 16:27 . 2011-03-23 14:05 1377112 ----a-w- f:\temp\TDskiller\TDSSKiller.exe
2011-03-04 15:49 . 2011-03-04 15:49 -------- d-----w- f:\documents and settings\Alan\Application Data\Malwarebytes
2011-03-04 15:49 . 2010-12-20 23:09 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 15:49 . 2011-03-04 15:49 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-04 15:49 . 2010-12-20 23:08 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2011-03-04 15:49 . 2011-03-04 15:49 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2011-02-23 15:46 . 2011-02-23 15:46 135168 --sha-r- f:\windows\system32\bootvid4.dll
2011-02-22 02:39 . 2001-08-17 18:56 7552 -c--a-w- f:\windows\system32\dllcache\sonypvu1.sys
2011-02-22 02:39 . 2001-08-17 18:56 7552 ----a-w- f:\windows\system32\drivers\SONYPVU1.SYS
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 16:49 . 2011-02-04 16:49 661808 ----a-w- f:\windows\system32\UfWSC.cpl
2011-02-04 16:49 . 2011-02-04 16:49 89872 ----a-w- f:\windows\system32\drivers\tmtdi.sys
2011-02-04 16:49 . 2011-02-04 16:49 339984 ----a-w- f:\windows\system32\drivers\TM_CFW.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="f:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2010-07-23 222496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MXO Auto Loader"="f:\windows\MXOALDR.EXE" [2003-04-07 118784]
"nwiz"="f:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"IJNetworkScanUtility"="f:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
"DNS7reminder"="f:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Nikon Transfer Monitor"="f:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]
"RoxioEngineUtility"="f:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"CanonMyPrinter"="f:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
"CanonSolutionMenu"="f:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"UfSeAgnt.exe"="f:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
.
f:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.LNK - f:\palm\HOTSYNC.EXE [2010-10-27 299008]
Microsoft Office.lnk - f:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\G:\0autocheck autochk *
.
[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=f:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- f:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2010-12-17 17:38 4763256 ----a-w- f:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2003-05-21 19:30 45056 ----a-w- f:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2]
2010-05-26 00:16 619008 ----a-w- f:\program files\Nikon\Nikon Message Center 2\NkMC2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-07-15 17:36 319488 ----a-w- f:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-09-24 19:02 868352 ----a-w- f:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\Retrospect\\Retrospect 7.7\\Retrospect.exe"=
"f:\\WINDOWS\\system32\\mmc.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R2 DragonSvc;Dragon Service;f:\program files\Common Files\Nuance\dgnsvc.exe [7/23/2010 1:24 PM 296808]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;f:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2/14/2011 11:59 PM 632792]
R2 tmpreflt;tmpreflt;f:\windows\system32\drivers\tmpreflt.sys [2/4/2011 12:49 PM 36432]
R3 tmcfw;Trend Micro Common Firewall Service;f:\windows\system32\drivers\TM_CFW.sys [2/4/2011 12:49 PM 339984]
S2 mrtRate;mrtRate; [x]
S3 tmevtmgr;tmevtmgr;f:\windows\system32\drivers\tmevtmgr.sys [2/4/2011 12:51 PM 51792]
S3 TmPfw;Trend Micro Personal Firewall;f:\program files\Trend Micro\Internet Security\TmPfw.exe [2/4/2011 12:51 PM 497008]
S3 TmProxy;Trend Micro Proxy Service;f:\program files\Trend Micro\Internet Security\TmProxy.exe [2/4/2011 12:51 PM 689416]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KLMD25
*Deregistered* - klmd25
*Deregistered* - pxtdapow
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 f:\windows\Tasks\RMSmartUpdate.job
- f:\program files\Registry Mechanic\Update.exe [2011-02-15 17:26]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - f:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\2b0y7odi.default\
FF - prefs.js: browser.startup.homepage - hxxp://online.wsj.com/home-page?mg=com-wsj
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - f:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Trend Micro Toolbar: {22181a4d-af90-4ca3-a569-faed9118d6bc} - f:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ETHERCD_UNINST_KEY - f:\documents and settings\Alan\Desktop\EtherCD XL User Guide\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 13:39
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2025429265-2077806209-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2011-03-23 13:40:57
ComboFix-quarantined-files.txt 2011-03-23 17:40
.
Pre-Run: 304,138,440,704 bytes free
Post-Run: 304,373,751,808 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - CF1926D2C681BD383F16DA233C4E242A

Thanks

Alan

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:56 PM

Posted 23 March 2011 - 07:25 PM

Hi-

How is the redirect situation? Has it improved, got worse, or no change?
Shannon

#14 AAS

AAS
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 23 March 2011 - 08:11 PM

Don't know. I rebooted to reset my AV program and the system would not boot to Windows - sometimes would not even post - could not access set-up screen - would not boot with XP disk in drive. It is now at the computer hospital - please leave this thread open until I get it back - will report ASAP - Did the last scan find anything?

Thanks

Alan

#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:56 PM

Posted 24 March 2011 - 08:43 AM

I will hold it open. Let me now how it goes. ComboFix did find one directory which it did not like and deleted it.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users