Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with system tools and antimalware doctor


  • This topic is locked This topic is locked
20 replies to this topic

#1 dreamtwister302

dreamtwister302

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 01 April 2011 - 06:32 PM

Hello! I downloaded something from a website that ended up being system tools. after looking up for to get rid of it and deleting it, and restarting my computer I was infected with antimalware doctor, which seemed to be the same thing. After installing avast free antivirus, finding some things but not fixing the problems, I removed it and installed a full copy of Kaspersky PURE (trial) and I am not able to download updated antivirus definitions. Internet explorer and Firefox both redirect me to other sites when doing google searches (it will let me do the search but any website i click will redirect me somewhere.) Here are my logs.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 19:55:31.01 on 01/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.894.309 [GMT -3:00]
.
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Kaspersky PURE *Enabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: McAfee Personal Firewall *Enabled*
FW: Kaspersky PURE *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtblfs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Documents and Settings\Owner.Upstairs\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5048
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=O4dANjwRHlnWfDF4WGjktNlVBBM
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5048
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky pure\ievkbd.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [A9YA3MI1CF] c:\docume~1\owner~1.ups\locals~1\temp\Vnw.exe
uRun: [Sloboyiviyifani] rundll32.exe "c:\windows\VSRDert.dll",Startup
uRun: [Spyware Doctor with AntiVirus] c:\documents and settings\owner.upstairs\desktop\sdasetup_revwire207[1].exe -min
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Glixi] rundll32.exe "c:\windows\epugezorijegozu.dll",Startup
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky pure\avp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
mExplorerRun: [fpact] c:\docume~1\owner~1.ups\locals~1\temp\zitui1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky pure\ie_banner_deny.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky pure\klwtbbho.dll
DPF: {1DC4A509-9C17-4538-B5AA-DB0BA27ED400} - hxxp://magnava.ezwatchip.com:8000/liveview-htmlskin/WebViewS.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7AB229EC-3FEF-4ACE-8060-167ECD3F7A14} - hxxp://magnava.ezwatchip.com:8000/playback-htmlskin/WebRPB.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.165.118,93.188.160.158
TCP: {A655E497-0379-48EC-8275-B095C2E271E9} = 93.188.165.118,93.188.160.158
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\kloehk.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner~1.ups\applic~1\mozilla\firefox\profiles\2tq0aicp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {2E530208-EABB-4339-974D-1D7BC76B5371} - c:\documents and settings\owner.upstairs\local settings\application data\{2E530208-EABB-4339-974D-1D7BC76B5371}
.
============= SERVICES / DRIVERS ===============
.
R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [2011-3-28 88632]
R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [2011-3-28 39352]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-3-28 315408]
R2 AVP;Kaspersky PURE;c:\program files\kaspersky lab\kaspersky pure\avp.exe [2010-10-1 348760]
R2 CSObjectsSrv;CryptoStorage control service;c:\program files\common files\infowatch\cryptostorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-14 136176]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-1-1 18560]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\genericmount.sys --> c:\windows\system32\drivers\GenericMount.sys [?]
S3 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2008-8-17 217088]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-03-28 19:20:27 90112 ----a-w- c:\windows\DUMPe7a9.tmp
2011-02-04 21:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 21:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-12 23:30:06 997057 ----a-w- c:\docume~1\alluse~1\applic~1\bdinstall.bin
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600BB-22RDA0 rev.20.00K20 -> Harddisk0\DR0 -> \Device\Ide\IdePort4 P4T0L0-16
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85B2A439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85b307d0]; MOV EAX, [0x85b3084c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x85B77410]
3 CLASSPNP[0xF7702FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000089[0x85B7A368]
5 ACPI[0xF7519620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x85B7B030]
\Driver\atapi[0x85B4B030] -> IRP_MJ_CREATE -> 0x85B2A439
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP4T0L0-16 -> \??\IDE#DiskWDC_WD1600BB-22RDA0_____________________20.00K20#5&34d4b32b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85B2A27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:58:23.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:04 AM

Posted 01 April 2011 - 06:59 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 dreamtwister302

dreamtwister302
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 01 April 2011 - 09:01 PM

How unfortunate for the keylogger. I have not used any sensitive passwords on this computer since the sign of an infection. I have decided to go ahead and clean the machine instead of a format.

Thank you for the quick reply and you help! here is my status so far. I ran TDSS killer, it asked to restart computer. Ran it again after the restart and it was clean.

OTL - I am still having downloading issues, and I had to transfer this file from another computer. I am still getting pop-up ads and redirecting issues on browser. Here are the logs. Thank you!





--- TDSS killer

2011/04/01 22:17:24.0187 0308 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/01 22:17:24.0531 0308

================================================================================
2011/04/01 22:17:24.0531 0308 SystemInfo:
2011/04/01 22:17:24.0531 0308
2011/04/01 22:17:24.0531 0308 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/01 22:17:24.0531 0308 Product type: Workstation
2011/04/01 22:17:24.0531 0308 ComputerName: UPSTAIRS
2011/04/01 22:17:24.0531 0308 UserName: Owner
2011/04/01 22:17:24.0531 0308 Windows directory: C:\WINDOWS
2011/04/01 22:17:24.0531 0308 System windows directory: C:\WINDOWS
2011/04/01 22:17:24.0531 0308 Processor architecture: Intel x86
2011/04/01 22:17:24.0531 0308 Number of processors: 2
2011/04/01 22:17:24.0531 0308 Page size: 0x1000
2011/04/01 22:17:24.0531 0308 Boot type: Normal boot
2011/04/01 22:17:24.0531 0308

================================================================================
2011/04/01 22:17:31.0015 0308 Initialize success
2011/04/01 22:17:59.0203 3684

================================================================================
2011/04/01 22:17:59.0203 3684 Scan started
2011/04/01 22:17:59.0203 3684 Mode: Manual;
2011/04/01 22:17:59.0203 3684

================================================================================
2011/04/01 22:18:00.0062 3684 abp480n5 (6abb91494fe6c59089b9336452ab2ea3)

C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/04/01 22:18:00.0234 3684 ACPI (8fd99680a539792a30e97944fdaecf17)

C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/01 22:18:00.0390 3684 ACPIEC (9859c0f6936e723e4892d7141b1327d5)

C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/01 22:18:00.0437 3684 adpu160m (9a11864873da202c996558b2106b0bbc)

C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/04/01 22:18:00.0609 3684 aec (8bed39e3c35d6a489438b8141717a557)

C:\WINDOWS\system32\drivers\aec.sys
2011/04/01 22:18:00.0796 3684 AFD (7e775010ef291da96ad17ca4b17137d7)

C:\WINDOWS\System32\drivers\afd.sys
2011/04/01 22:18:00.0968 3684 agp440 (08fd04aa961bdc77fb983f328334e3d7)

C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/01 22:18:01.0140 3684 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063)

C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/04/01 22:18:01.0343 3684 Aha154x (c23ea9b5f46c7f7910db3eab648ff013)

C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/04/01 22:18:01.0515 3684 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529)

C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/04/01 22:18:01.0703 3684 aic78xx (b7fe594a7468aa0132deb03fb8e34326)

C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/04/01 22:18:01.0890 3684 AliIde (1140ab9938809700b46bb88e46d72a96)

C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/04/01 22:18:02.0062 3684 alim1541 (cb08aed0de2dd889a8a820cd8082d83c)

C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/04/01 22:18:02.0234 3684 amdagp (95b4fb835e28aa1336ceeb07fd5b9398)

C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/04/01 22:18:02.0437 3684 amsint (79f5add8d24bd6893f2903a3e2f3fad6)

C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/04/01 22:18:02.0625 3684 asc (62d318e9a0c8fc9b780008e724283707)

C:\WINDOWS\system32\DRIVERS\asc.sys
2011/04/01 22:18:02.0765 3684 asc3350p (69eb0cc7714b32896ccbfd5edcbea447)

C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/04/01 22:18:02.0843 3684 asc3550 (5d8de112aa0254b907861e9e9c31d597)

C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/04/01 22:18:03.0031 3684 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc)

C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/01 22:18:03.0140 3684 atapi (9f3a2f5aa6875c72bf062c712cfa2674)

C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/01 22:18:03.0453 3684 ati2mtag (1caba9ea8adc5e9a5eba3882f6a90f9b)

C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/04/01 22:18:03.0671 3684 Atmarpc (9916c1225104ba14794209cfa8012159)

C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/01 22:18:03.0843 3684 audstub (d9f724aa26c010a217c97606b160ed68)

C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/01 22:18:04.0062 3684 Beep (da1f27d85e0d1525f6621372e7b685e9)

C:\WINDOWS\system32\drivers\Beep.sys
2011/04/01 22:18:04.0234 3684 cbidf (90a673fc8e12a79afbed2576f6a7aaf9)

C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/04/01 22:18:04.0359 3684 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9)

C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/01 22:18:04.0390 3684 cd20xrnt (f3ec03299634490e97bbce94cd2954c7)

C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/04/01 22:18:04.0437 3684 Cdaudio (c1b486a7658353d33a10cc15211a873b)

C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/01 22:18:04.0531 3684 Cdfs (c885b02847f5d2fd45a24e219ed93b32)

C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/01 22:18:04.0703 3684 Cdrom (1f4260cc5b42272d71f79e570a27a4fe)

C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/01 22:18:05.0046 3684 CmdIde (e5dcb56c533014ecbc556a8357c929d5)

C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/04/01 22:18:05.0250 3684 Cpqarray (3ee529119eed34cd212a215e8c40d4b6)

C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/04/01 22:18:05.0468 3684 CSCrySec (5cbf20674be8364febb6a13451a42f0a)

C:\WINDOWS\system32\DRIVERS\CSCrySec.sys
2011/04/01 22:18:05.0656 3684 CSVirtualDiskDrv (2c3f213eddd231099fb779a45d7680e0)

C:\WINDOWS\system32\DRIVERS\CSVirtualDiskDrv.sys
2011/04/01 22:18:05.0843 3684 dac2w2k (e550e7418984b65a78299d248f0a7f36)

C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/04/01 22:18:05.0984 3684 dac960nt (683789caa3864eb46125ae86ff677d34)

C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/04/01 22:18:06.0062 3684 Disk (044452051f3e02e7963599fc8f4f3e25)

C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/01 22:18:06.0281 3684 dmboot (d992fe1274bde0f84ad826acae022a41)

C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/01 22:18:06.0484 3684 dmio (7c824cf7bbde77d95c08005717a95f6f)

C:\WINDOWS\system32\drivers\dmio.sys
2011/04/01 22:18:06.0671 3684 dmload (e9317282a63ca4d188c0df5e09c6ac5f)

C:\WINDOWS\system32\drivers\dmload.sys
2011/04/01 22:18:06.0843 3684 DMusic (8a208dfcf89792a484e76c40e5f50b45)

C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/01 22:18:07.0031 3684 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660)

C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/04/01 22:18:07.0171 3684 drmkaud (8f5fcff8e8848afac920905fbd9d33c8)

C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/01 22:18:07.0281 3684 Fastfat (38d332a6d56af32635675f132548343e)

C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/01 22:18:07.0468 3684 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81)

C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/01 22:18:07.0640 3684 Fips (d45926117eb9fa946a6af572fbe1caa3)

C:\WINDOWS\system32\drivers\Fips.sys
2011/04/01 22:18:07.0796 3684 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0)

C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/01 22:18:07.0968 3684 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0)

C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/01 22:18:08.0140 3684 FlyUsb (8efa9bfc940d9eb9348d9dafb839fe25)

C:\WINDOWS\system32\DRIVERS\FlyUsb.sys
2011/04/01 22:18:08.0328 3684 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a)

C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/01 22:18:08.0453 3684 Ftdisk (6ac26732762483366c3969c9e4d2259d)

C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/01 22:18:08.0546 3684 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e)

C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/01 22:18:08.0875 3684 Gpc (0a02c63c8b144bd8c86b103dee7c86a2)

C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/01 22:18:09.0062 3684 HDAudBus (573c7d0a32852b48f3058cfd8026f511)

C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/01 22:18:09.0250 3684 HidUsb (ccf82c5ec8a7326c3066de870c06daf1)

C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/01 22:18:09.0468 3684 hpn (b028377dea0546a5fcfba928a8aefae0)

C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/04/01 22:18:09.0625 3684 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a)

C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/04/01 22:18:09.0734 3684 HPZipr12 (89f41658929393487b6b7d13c8528ce3)

C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/04/01 22:18:09.0906 3684 HPZius12 (abcb05ccdbf03000354b9553820e39f8)

C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/04/01 22:18:10.0093 3684 HSFHWBS2 (c02dc9d4358e43d088f2061c2b2bf30e)

C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/04/01 22:18:10.0328 3684 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7)

C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/04/01 22:18:10.0531 3684 HTTP (f80a415ef82cd06ffaf0d971528ead38)

C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/01 22:18:10.0718 3684 i2omgmt (9368670bd426ebea5e8b18a62416ec28)

C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/04/01 22:18:10.0890 3684 i2omp (f10863bf1ccc290babd1a09188ae49e0)

C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/04/01 22:18:11.0062 3684 i8042prt (4a0b06aa8943c1e332520f7440c0aa30)

C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/01 22:18:11.0234 3684 Imapi (083a052659f5310dd8b6a6cb05edcf8e)

C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/01 22:18:11.0437 3684 ini910u (4a40e045faee58631fd8d91afc620719)

C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/04/01 22:18:11.0750 3684 IntcAzAudAddService (2389f12f0ed506176b7c29c8144cea09)

C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/01 22:18:12.0031 3684 IntelIde (b5466a9250342a7aa0cd1fba13420678)

C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/01 22:18:12.0203 3684 intelppm (8c953733d8f36eb2133f5bb58808b66b)

C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/01 22:18:12.0375 3684 Ip6Fw (3bb22519a194418d5fec05d800a19ad0)

C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/01 22:18:12.0546 3684 IpFilterDriver (731f22ba402ee4b62748adaf6363c182)

C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/01 22:18:12.0718 3684 IpInIp (b87ab476dcf76e72010632b5550955f5)

C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/01 22:18:12.0890 3684 IpNat (cc748ea12c6effde940ee98098bf96bb)

C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/01 22:18:13.0062 3684 IPSec (23c74d75e36e7158768dd63d92789a91)

C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/01 22:18:13.0234 3684 IRENUM (c93c9ff7b04d772627a3646d89f7bf89)

C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/01 22:18:13.0406 3684 isapnp (05a299ec56e52649b1cf2fc52d20f2d7)

C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/01 22:18:13.0593 3684 Kbdclass (463c1ec80cd17420a542b7f36a36f128)

C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/01 22:18:13.0781 3684 kl1 (ce3958f58547454884e97bda78cd7040)

C:\WINDOWS\system32\drivers\kl1.sys
2011/04/01 22:18:13.0953 3684 KLBG (53eedab3f0511321ac3ae8bc968b158c)

C:\WINDOWS\system32\DRIVERS\klbg.sys
2011/04/01 22:18:14.0140 3684 KLIF (cf9f89b7b5e08beb60e52dd7ff3a69e5)

C:\WINDOWS\system32\DRIVERS\klif.sys
2011/04/01 22:18:14.0328 3684 klim5 (fbdc2034b58d2135d25fe99eb8b747c3)

C:\WINDOWS\system32\DRIVERS\klim5.sys
2011/04/01 22:18:14.0531 3684 klmouflt (1f351c4ba53bfe58a1ca5fcdd11e1f81)

C:\WINDOWS\system32\DRIVERS\klmouflt.sys
2011/04/01 22:18:14.0718 3684 kmixer (692bcf44383d056aed41b045a323d378)

C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/01 22:18:14.0875 3684 KSecDD (b467646c54cc746128904e1654c750c1)

C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/01 22:18:15.0375 3684 mcdbus (8fd868e32459ece2a1bb0169f513d31e)

C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2011/04/01 22:18:15.0562 3684 mdmxsdk (3c318b9cd391371bed62126581ee9961)

C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/01 22:18:15.0734 3684 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6)

C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/04/01 22:18:15.0906 3684 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6)

C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/01 22:18:16.0078 3684 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1)

C:\WINDOWS\system32\drivers\Modem.sys
2011/04/01 22:18:16.0250 3684 Mouclass (35c9e97194c8cfb8430125f8dbc34d04)

C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/01 22:18:16.0421 3684 mouhid (b1c303e17fb9d46e87a98e4ba6769685)

C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/01 22:18:16.0625 3684 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd)

C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/01 22:18:16.0781 3684 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737)

C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/04/01 22:18:16.0953 3684 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd)

C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/01 22:18:17.0156 3684 MRxSmb (f3aefb11abc521122b67095044169e98)

C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/01 22:18:17.0343 3684 Msfs (c941ea2454ba8350021d774daf0f1027)

C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/01 22:18:17.0546 3684 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1)

C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/01 22:18:17.0718 3684 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e)

C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/01 22:18:17.0890 3684 MSPQM (bad59648ba099da4a17680b39730cb3d)

C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/01 22:18:18.0062 3684 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136)

C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/01 22:18:18.0234 3684 Mup (2f625d11385b1a94360bfc70aaefdee1)

C:\WINDOWS\system32\drivers\Mup.sys
2011/04/01 22:18:18.0421 3684 mxnic (e1cdf20697d992cf83ff86dd04df1285)

C:\WINDOWS\system32\DRIVERS\mxnic.sys
2011/04/01 22:18:18.0578 3684 NDIS (1df7f42665c94b825322fae71721130d)

C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/01 22:18:18.0750 3684 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f)

C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/01 22:18:18.0921 3684 Ndisuio (f927a4434c5028758a842943ef1a3849)

C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/01 22:18:19.0109 3684 NdisWan (edc1531a49c80614b2cfda43ca8659ab)

C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/01 22:18:19.0281 3684 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b)

C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/01 22:18:19.0453 3684 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0)

C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/01 22:18:19.0609 3684 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d)

C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/01 22:18:19.0812 3684 Npfs (3182d64ae053d6fb034f44b6def8034a)

C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/01 22:18:19.0968 3684 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca)

C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/01 22:18:20.0187 3684 Null (73c1e1f395918bc2c6dd67af7591a3ad)

C:\WINDOWS\system32\drivers\Null.sys
2011/04/01 22:18:20.0437 3684 nv (2b298519edbfcf451d43e0f1e8f1006d)

C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/01 22:18:20.0718 3684 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57)

C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/01 22:18:20.0875 3684 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9)

C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/01 22:18:21.0046 3684 P3 (c90018bafdc7098619a4a95b046b30f3)

C:\WINDOWS\system32\DRIVERS\p3.sys
2011/04/01 22:18:21.0218 3684 Parport (5575faf8f97ce5e713d108c2a58d7c7c)

C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/01 22:18:21.0390 3684 PartMgr (beb3ba25197665d82ec7065b724171c6)

C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/01 22:18:21.0546 3684 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1)

C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/01 22:18:21.0640 3684 PCI (a219903ccf74233761d92bef471a07b1)

C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/01 22:18:21.0843 3684 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0)

C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/01 22:18:22.0000 3684 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1)

C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/01 22:18:22.0171 3684 pcouffin (5b6c11de7e839c05248ced8825470fef)

C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/04/01 22:18:22.0937 3684 perc2 (6c14b9c19ba84f73d3a86dba11133101)

C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/04/01 22:18:23.0109 3684 perc2hib (f50f7c27f131afe7beba13e14a3b9416)

C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/04/01 22:18:23.0312 3684 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99)

C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/01 22:18:23.0500 3684 PSched (09298ec810b07e5d582cb3a3f9255424)

C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/01 22:18:23.0687 3684 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd)

C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/01 22:18:23.0859 3684 PxHelp20 (617accada2e0a0f43ec6030bbac49513)

C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/01 22:18:24.0031 3684 ql1080 (0a63fb54039eb5662433caba3b26dba7)

C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/04/01 22:18:24.0218 3684 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706)

C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/04/01 22:18:24.0406 3684 ql12160 (156ed0ef20c15114ca097a34a30d8a01)

C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/04/01 22:18:24.0562 3684 ql1240 (70f016bebde6d29e864c1230a07cc5e6)

C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/04/01 22:18:24.0734 3684 ql1280 (907f0aeea6bc451011611e732bd31fcf)

C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/04/01 22:18:24.0906 3684 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c)

C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/01 22:18:25.0078 3684 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6)

C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/01 22:18:25.0265 3684 RasPppoe (5bc962f2654137c9909c3d4603587dee)

C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/01 22:18:25.0437 3684 Raspti (fdbb1d60066fcfbb7452fd8f9829b242)

C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/01 22:18:25.0640 3684 Rdbss (7ad224ad1a1437fe28d89cf22b17780a)

C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/01 22:18:25.0828 3684 RDPCDD (4912d5b403614ce99c28420f75353332)

C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/01 22:18:26.0015 3684 rdpdr (15cabd0f7c00c47c70124907916af3f1)

C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/01 22:18:26.0187 3684 RDPWD (6728e45b66f93c08f11de2e316fc70dd)

C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/01 22:18:26.0375 3684 redbook (f828dd7e1419b6653894a8f97a0094c5)

C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/01 22:18:26.0593 3684 RTL8023xp (7988bfe882bcd94199225b5c3482f1bd)

C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/04/01 22:18:26.0750 3684 rtl8139 (d507c1400284176573224903819ffda3)

C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/04/01 22:18:26.0921 3684 Secdrv (90a3935d05b494a5a39d37e71f09a677)

C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/01 22:18:27.0062 3684 Serenum (0f29512ccd6bead730039fb4bd2c85ce)

C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/01 22:18:27.0156 3684 Serial (cca207a8896d4c6a0c9ce29a4ae411a7)

C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/01 22:18:27.0343 3684 Sfloppy (8e6b8c671615d126fdc553d1e2de5562)

C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/01 22:18:27.0562 3684 sisagp (6b33d0ebd30db32e27d1d78fe946a754)

C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/04/01 22:18:27.0734 3684 Sparrow (83c0f71f86d3bdaf915685f3d568b20e)

C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/04/01 22:18:27.0875 3684 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f)

C:\WINDOWS\system32\drivers\splitter.sys
2011/04/01 22:18:27.0984 3684 sr (76bb022c2fb6902fd5bdd4f78fc13a5d)

C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/01 22:18:28.0187 3684 Srv (0f6aefad3641a657e18081f52d0c15af)

C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/01 22:18:28.0390 3684 swenum (3941d127aef12e93addf6fe6ee027e0f)

C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/01 22:18:28.0562 3684 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01)

C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/01 22:18:28.0765 3684 symc810 (1ff3217614018630d0a6758630fc698c)

C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/04/01 22:18:28.0937 3684 symc8xx (070e001d95cf725186ef8b20335f933c)

C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/04/01 22:18:29.0062 3684 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c)

C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/04/01 22:18:29.0171 3684 sym_u3 (bf4fab949a382a8e105f46ebb4937058)

C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/04/01 22:18:29.0312 3684 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290)

C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/01 22:18:29.0421 3684 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d)

C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/01 22:18:29.0609 3684 TDPIPE (6471a66807f5e104e4885f5b67349397)

C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/01 22:18:29.0781 3684 TDTCP (c56b6d0402371cf3700eb322ef3aaf61)

C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/01 22:18:29.0953 3684 TermDD (88155247177638048422893737429d9e)

C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/01 22:18:30.0140 3684 TosIde (f2790f6af01321b172aa62f8e1e187d9)

C:\WINDOWS\system32\DRIVERS\toside.sys
2011/04/01 22:18:30.0328 3684 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9)

C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/01 22:18:30.0500 3684 ultra (1b698a51cd528d8da4ffaed66dfc51b9)

C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/04/01 22:18:30.0734 3684 Update (402ddc88356b1bac0ee3dd1580c76a31)

C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/01 22:18:31.0187 3684 usbccgp (173f317ce0db8e21322e71b7e60a27e8)

C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/01 22:18:31.0406 3684 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7)

C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/01 22:18:31.0546 3684 usbhub (1ab3cdde553b6e064d2e754efe20285c)

C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/01 22:18:31.0640 3684 usbohci (0daecce65366ea32b162f85f07c6753b)

C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/04/01 22:18:31.0781 3684 usbprint (a717c8721046828520c9edf31288fc00)

C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/01 22:18:31.0875 3684 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4)

C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/01 22:18:32.0015 3684 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9)

C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/01 22:18:32.0156 3684 VgaSave (0d3a8fafceacd8b7625cd549757a7df1)

C:\WINDOWS\System32\drivers\vga.sys
2011/04/01 22:18:32.0281 3684 viaagp (754292ce5848b3738281b4f3607eaef4)

C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/04/01 22:18:32.0453 3684 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e)

C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/04/01 22:18:32.0593 3684 VolSnap (4c8fcb5cc53aab716d810740fe59d025)

C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/01 22:18:32.0781 3684 Wanarp (e20b95baedb550f32dd489265c1da1f6)

C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/01 22:18:32.0921 3684 Wdf01000 (d918617b46457b9ac28027722e30f647)

C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/04/01 22:18:33.0140 3684 wdmaud (6768acf64b18196494413695f0c3a00f)

C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/01 22:18:33.0343 3684 winachsf (59d043485a6eda2ed2685c81489ae5bd)

C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/04/01 22:18:33.0609 3684 WudfPf (f15feafffbb3644ccc80c5da584e6311)

C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/01 22:18:33.0796 3684 WudfRd (28b524262bce6de1f7ef9f510ba3985b)

C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/01 22:18:33.0859 3684 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/01 22:18:33.0859 3684

================================================================================
2011/04/01 22:18:33.0859 3684 Scan finished
2011/04/01 22:18:33.0859 3684

================================================================================
2011/04/01 22:18:33.0890 3136 Detected object count: 1
2011/04/01 22:18:39.0000 3136 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after

reboot
2011/04/01 22:18:39.0000 3136 \HardDisk0 - ok
2011/04/01 22:18:39.0000 3136 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action:

Cure
2011/04/01 22:18:54.0171 2176 Deinitialize success








--- OTL

OTL logfile created on: 01/04/2011 10:48:32 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner.Upstairs\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

894.00 Mb Total Physical Memory | 328.00 Mb Available Physical Memory | 37.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2560 2560 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.11 Gb Total Space | 42.38 Gb Free Space | 29.82% Space Free | Partition Type: NTFS
Drive D: | 6.93 Gb Total Space | 4.07 Gb Free Space | 58.78% Space Free | Partition Type: FAT32

Computer Name: UPSTAIRS | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/01 22:47:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.Upstairs\Desktop\OTL.exe
PRC - [2011/03/23 19:41:31 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/19 14:38:08 | 000,193,880 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
PRC - [2010/11/19 14:29:00 | 004,916,568 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2010/10/01 22:06:36 | 000,348,760 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
PRC - [2010/10/01 22:05:24 | 000,207,448 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtblfs.exe
PRC - [2010/04/09 02:08:24 | 002,937,528 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2010/04/09 00:44:08 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) -- C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
PRC - [2008/04/13 21:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/12/09 21:44:40 | 000,139,264 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Digital Media Reader\readericon45G.exe
PRC - [2004/12/08 20:57:36 | 000,550,912 | ---- | M] () -- C:\WINDOWS\zHotkey.exe


========== Modules (SafeList) ==========

MOD - [2011/04/01 22:47:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.Upstairs\Desktop\OTL.exe
MOD - [2010/08/23 13:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 21:12:08 | 000,266,240 | ---- | M] () -- C:\WINDOWS\epugezorijegozu.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/11/19 14:29:00 | 004,916,568 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2010/10/01 22:06:36 | 000,348,760 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe -- (AVP)
SRV - [2010/04/09 00:44:08 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) [Auto | Running] -- C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe -- (CSObjectsSrv)
SRV - [2008/08/17 05:40:50 | 000,217,088 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe -- (PS3 Media Server)


========== Driver Services (SafeList) ==========

DRV - [2011/03/28 22:28:27 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/12/14 12:44:24 | 000,088,632 | ---- | M] (Infowatch) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CSCrySec.sys -- (CSCrySec)
DRV - [2009/12/14 12:44:24 | 000,039,352 | ---- | M] (Infowatch) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\CSVirtualDiskDrv.sys -- (CSVirtualDiskDrv)
DRV - [2009/10/14 21:18:34 | 000,036,880 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\klbg.sys -- (KLBG)
DRV - [2009/10/02 19:39:44 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/09/14 14:42:46 | 000,032,272 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/09/01 15:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2009/02/24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/04/01 14:33:16 | 000,018,560 | ---- | M] (LeapFrog) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FlyUsb.sys -- (FlyUsb)
DRV - [2006/04/06 17:20:44 | 004,258,816 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/01/18 21:41:00 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/01/16 00:48:08 | 001,477,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/03/17 13:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 13:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 13:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/08/04 02:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/17 17:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5048


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5048
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5048
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5048
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5048
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2134941054-3092060347-210732259-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2134941054-3092060347-210732259-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {2E530208-EABB-4339-974D-1D7BC76B5371}:1.9.1
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.1.0.124
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\{2E530208-EABB-4339-974D-1D7BC76B5371}: C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\{2E530208-EABB-4339-974D-1D7BC76B5371} [2011/03/23 11:02:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/24 15:46:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 19:41:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky PURE\THBExt [2011/03/28 22:30:11 | 000,000,000 | ---D | M]

[2010/08/17 12:23:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Extensions
[2010/08/16 13:22:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Extensions\home2@tomtom.com
[2010/08/17 12:23:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2011/04/01 16:30:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Profiles\2tq0aicp.default\extensions
[2010/09/20 07:41:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Profiles\2tq0aicp.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/10/30 11:09:23 | 000,002,568 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Profiles\2tq0aicp.default\searchplugins\askcom.xml
[2011/04/01 16:30:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/19 21:34:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/15 17:43:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/15 16:10:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/28 22:32:17 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2011/03/23 11:02:54 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\OWNER.UPSTAIRS\LOCAL SETTINGS\APPLICATION DATA\{2E530208-EABB-4339-974D-1D7BC76B5371}
[2010/04/19 21:33:39 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/17 09:13:02 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2011/03/23 22:54:45 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
O4 - HKLM..\Run: [Glixi] C:\WINDOWS\epugezorijegozu.dll ()
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006..\Run: [A9YA3MI1CF] File not found
O4 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006..\Run: [Sloboyiviyifani] C:\WINDOWS\VSRDert.dll (Greatis Software)
O4 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006..\Run: [Spyware Doctor with AntiVirus] File not found
O4 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006..\Run: [TomTomHOME.exe] File not found
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: fpact = C:\DOCUME~1\OWNER~1.UPS\LOCALS~1\Temp\zitui1.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm ()
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O16 - DPF: {1DC4A509-9C17-4538-B5AA-DB0BA27ED400} http://magnava.ezwatchip.com:8000/liveview-htmlskin/WebViewS.cab (Hybrid WebView)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7AB229EC-3FEF-4ACE-8060-167ECD3F7A14} http://magnava.ezwatchip.com:8000/playback-htmlskin/WebRPB.cab (WebRPB Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.118,93.188.160.158
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky PURE\kloehk.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky PURE\mzvkbd3.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/17 22:40:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{3d15974d-a952-11df-86fe-001676a39e2d}\Shell\AutoRun\command - "" = K:\InstallTomTomHOME.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/01 22:47:20 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.Upstairs\Desktop\OTL.exe
[2011/04/01 22:17:18 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner.Upstairs\Desktop\TDSSKiller.exe
[2011/03/28 22:31:06 | 000,039,352 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSVirtualDiskDrv.sys
[2011/03/28 22:31:01 | 000,088,632 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSCrySec.sys
[2011/03/28 22:29:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InfoWatch
[2011/03/28 22:29:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Kaspersky PURE
[2011/03/28 22:29:02 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2011/03/28 22:29:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2011/03/28 22:28:27 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2011/03/28 21:57:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2011/03/23 22:14:59 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/03/23 22:14:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/03/23 21:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/03/23 21:25:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/23 20:02:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\fCdEkNfNoGp05200
[2011/03/23 17:29:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/23 16:42:16 | 125,669,816 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Owner.Upstairs\Desktop\Ad-Aware90Install_2011-03-22.exe
[2011/03/23 16:25:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/03/23 16:25:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.Upstairs\Start Menu\Programs\HiJackThis
[2011/03/23 11:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/23 11:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/03/23 11:02:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\{2E530208-EABB-4339-974D-1D7BC76B5371}
[2010/07/04 14:27:23 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Owner.Upstairs\Application Data\pcouffin.sys
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/01 22:47:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.Upstairs\Desktop\OTL.exe
[2011/04/01 22:32:00 | 000,000,294 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2011/04/01 22:20:56 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/01 22:20:55 | 000,000,304 | -HS- | M] () -- C:\WINDOWS\tasks\Sqqjsmlav.job
[2011/04/01 22:20:55 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2134941054-3092060347-210732259-1006.job
[2011/04/01 22:20:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/01 22:20:42 | 937,062,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/01 22:08:21 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/01 19:36:05 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\dds.scr
[2011/04/01 19:34:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\defogger_reenable
[2011/04/01 19:32:22 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Klulodovu.dat
[2011/04/01 17:11:24 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\housecall.guid.cache
[2011/04/01 16:49:42 | 000,002,465 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\HiJackThis.lnk
[2011/04/01 16:11:26 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/04/01 16:10:12 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Uvexuworuca.bin
[2011/04/01 15:54:26 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/29 17:40:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/28 22:31:56 | 000,113,933 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2011/03/28 22:31:56 | 000,097,549 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2011/03/28 22:28:27 | 000,315,408 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2011/03/28 22:18:06 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/03/23 22:13:31 | 062,623,864 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\My Documents\setup_av_free.exe
[2011/03/23 21:24:08 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2011/03/23 16:42:33 | 125,669,816 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\Owner.Upstairs\Desktop\Ad-Aware90Install_2011-03-22.exe
[2011/03/21 19:36:20 | 000,098,304 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/20 17:07:56 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\gmer.exe
[2011/03/20 10:34:45 | 000,441,432 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/20 10:34:45 | 000,071,176 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/20 10:34:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/14 12:29:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2134941054-3092060347-210732259-1006.job
[2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner.Upstairs\Desktop\TDSSKiller.exe
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/01 19:58:14 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\gmer.exe
[2011/04/01 19:35:58 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\dds.scr
[2011/04/01 19:34:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\defogger_reenable
[2011/04/01 17:11:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\housecall.guid.cache
[2011/03/28 22:31:56 | 000,113,933 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2011/03/28 22:31:56 | 000,097,549 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2011/03/23 22:12:56 | 062,623,864 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\My Documents\setup_av_free.exe
[2011/03/23 21:24:08 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
[2011/03/23 20:52:26 | 937,062,400 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/23 16:25:52 | 000,002,465 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\HiJackThis.lnk
[2011/03/23 11:03:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Uvexuworuca.bin
[2011/03/23 11:03:05 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Klulodovu.dat
[2011/03/23 11:00:48 | 000,000,304 | -HS- | C] () -- C:\WINDOWS\tasks\Sqqjsmlav.job
[2011/03/23 11:00:11 | 000,000,294 | -H-- | C] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2010/12/31 15:46:09 | 000,004,310 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2010/12/30 21:57:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\imblacklist.dat
[2010/12/30 13:39:16 | 000,997,057 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
[2010/11/15 07:53:31 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/18 17:18:35 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/10/18 16:59:14 | 000,022,016 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/02 01:45:27 | 000,000,287 | ---- | C] () -- C:\WINDOWS\game.ini
[2010/09/11 15:51:03 | 000,038,269 | ---- | C] () -- C:\WINDOWS\DIIUnin.dat
[2010/08/18 17:43:15 | 000,139,620 | ---- | C] () -- C:\WINDOWS\hpoins15.dat
[2010/08/18 17:43:15 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hpomdl15.dat
[2010/07/23 23:13:58 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/07/04 14:29:22 | 000,001,041 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Application Data\vso_ts_preview.xml
[2010/07/04 14:27:37 | 000,098,304 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/04 14:27:23 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Application Data\pcouffin.cat
[2010/07/04 14:27:23 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Application Data\pcouffin.inf
[2010/04/23 17:15:23 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\fusioncache.dat
[2010/04/09 02:20:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/09 01:00:04 | 000,550,912 | ---- | C] () -- C:\WINDOWS\zHotkey.exe
[2010/04/09 01:00:04 | 000,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2010/04/09 01:00:04 | 000,042,040 | ---- | C] () -- C:\WINDOWS\PatchWnd.exe
[2010/04/09 01:00:04 | 000,036,864 | ---- | C] () -- C:\WINDOWS\ShowWnd.exe
[2010/04/09 01:00:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2010/04/09 01:00:04 | 000,011,776 | ---- | C] () -- C:\WINDOWS\HIDMNT.dll
[2010/04/09 00:59:41 | 000,000,004 | ---- | C] () -- C:\WINDOWS\Pix11.dat
[2010/04/09 00:58:37 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2010/04/09 00:58:37 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/04/09 00:54:51 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009/09/09 19:01:40 | 000,027,675 | ---- | C] () -- C:\WINDOWS\System32\drivers\klopp.dat
[2009/01/05 16:44:10 | 000,053,248 | ---- | C] () -- C:\WINDOWS\bdoscandel.exe
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2007/01/31 14:50:32 | 000,913,408 | ---- | C] () -- C:\WINDOWS\System32\xreglib.dll
[2006/08/09 18:16:03 | 000,112,421 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/08/19 16:13:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/19 15:25:24 | 000,352,256 | ---- | C] () -- C:\WINDOWS\System32\HotlineClient.exe
[2005/08/17 22:45:05 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/17 22:34:51 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/17 22:17:08 | 000,001,478 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/08/17 22:17:08 | 000,000,495 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/08/17 22:16:24 | 000,266,240 | ---- | C] () -- C:\WINDOWS\epugezorijegozu.dll
[2005/08/17 22:16:18 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/17 22:16:14 | 000,441,432 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/17 22:16:14 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/17 22:16:14 | 000,071,176 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/17 22:16:14 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/17 22:16:13 | 000,005,151 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/17 22:16:11 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/17 22:16:09 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/17 22:16:01 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/17 22:16:01 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/17 22:15:55 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/17 22:15:46 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/17 15:28:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/17 15:27:22 | 000,182,632 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/06 01:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/10 16:00:00 | 000,000,009 | ---- | C] () -- C:\WINDOWS\System32\comsats.sys

< End of report >

















OTL Extras logfile created on: 01/04/2011 10:48:32 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner.Upstairs\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

894.00 Mb Total Physical Memory | 328.00 Mb Available Physical Memory | 37.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2560 2560 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.11 Gb Total Space | 42.38 Gb Free Space | 29.82% Space Free | Partition Type: NTFS
Drive D: | 6.93 Gb Total Space | 4.07 Gb Free Space | 58.78% Space Free | Partition Type: FAT32

Computer Name: UPSTAIRS | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-2134941054-3092060347-210732259-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"57763:TCP" = 57763:TCP:*:Enabled:Pando Media Booster
"57763:UDP" = 57763:UDP:*:Enabled:Pando Media Booster
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe" = C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe:*:Enabled:LeapFrog Connect -- (LeapFrog Enterprises, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\TVersity\Media Server\MediaServer.exe" = C:\Program Files\TVersity\Media Server\MediaServer.exe:*:Enabled:TVersity Media Server
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe" = C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe:*:Enabled:LeapFrog Connect -- (LeapFrog Enterprises, Inc.)
"C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe" = C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe:*:Enabled:Ad-Aware
"C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe" = C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe:*:Enabled:Ad-AwareAdmin.exe


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{171E6C1E-B5FC-11DF-B115-005056C00008}" = Google Earth Plug-in
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{1A59064A-12A9-469F-99F6-04BF118DBCFF}" = Kaspersky PURE
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}" = mkv2vob
"{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 22
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}" = Multimedia Keyboard Driver
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A055FB62-CF73-4839-AD83-122ABCB92418}" = LeapFrog Tag Junior Plugin
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB40272D-92AB-4F30-B36B-22EDE16F8FE5}" = HP Update
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{ACA85783-8EEA-4f0a-B2A3-A8173F30209F}" = C4200_doccd
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B09BCBF6-87EE-4403-A336-3A9510856535}" = HP Photosmart All-In-One Software 9.0
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BFDE4176-5DFE-4db9-AA00-8F30CB001BDA}" = c4200_Help
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C39E671D-0528-4c5e-A034-8470C5BC393A}" = C4200
"{C6359569-E03E-4CDC-98E8-CDD080C6EEB5}" = LeapFrog Connect
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D8B7A682-20DA-4797-8415-B1FB14D4D32B}" = PS_AIO_Software
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.9.322
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E28750A2-45F2-4b63-99F7-9F81A94B1E2D}" = PS_AIO_Software_min
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FD7F242B-9AA0-40c3-941E-3A9821D19C09}" = PS_AIO_ProductContext
"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"781745E87AFF80C0C1388CFF79D19ECAB2E9BB47" = Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
"8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D" = Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
"AC3File_is1" = AC3File 0.6b
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver
"Cheat Engine 6.0_is1" = Cheat Engine 6.0
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Diablo II" = Diablo II
"FrostWire" = FrostWire 4.21.1
"Gazillionaire III" = Gazillionaire III
"HaaliMkx" = Haali Media Splitter
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPExtendedCapabilities" = HP Customer Participation Program 9.0
"HPOCR" = HP OCR Software 9.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"InstallShield_{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"InstallWIX_{1A59064A-12A9-469F-99F6-04BF118DBCFF}" = Kaspersky PURE
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"PS3 Media Server" = PS3 Media Server
"TagJuniorPlugin" = Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Junior Plugin)
"UPCShell" = LeapFrog Connect
"uTorrent" = µTorrent
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xilisoft Video Converter Ultimate" = Xilisoft Video Converter Ultimate 6

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2134941054-3092060347-210732259-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"aaa" = aaa
"QUICKMEDIACONVERTER" = QMC

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 01/04/2011 7:25:33 PM | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 01/04/2011 7:25:33 PM | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 01/04/2011 7:35:35 PM | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 01/04/2011 7:35:35 PM | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 01/04/2011 9:10:15 PM | Computer Name = UPSTAIRS | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module epugezorijegozu.dll, version 0.0.0.0, fault address 0x000097fb.

Error - 01/04/2011 9:17:30 PM | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 01/04/2011 9:17:30 PM | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 01/04/2011 9:35:19 PM | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 01/04/2011 9:35:19 PM | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 01/04/2011 9:50:56 PM | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

[ System Events ]
Error - 17/02/2011 7:17:45 AM | Computer Name = UPSTAIRS | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{A655E497-0379-48EC-8275-B095C2E271E9}. The
backup browser is stopping.

Error - 20/02/2011 12:07:18 PM | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 21/02/2011 8:31:15 AM | Computer Name = UPSTAIRS | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{A655E497-0379-48EC-8275-B095C2E271E9}. The
backup browser is stopping.

Error - 22/02/2011 7:40:38 PM | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 22/02/2011 7:43:00 PM | Computer Name = UPSTAIRS | Source = NetDDE | ID = 206
Description = Listen failed: 23: The ncb_lana_num member did not specify a valid
network number.

Error - 22/02/2011 7:43:05 PM | Computer Name = UPSTAIRS | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.11 for the Network Card with network
address 001676A39E2D has been denied by the DHCP server 192.168.2.1 (The DHCP Server
sent a DHCPNACK message).

Error - 22/02/2011 7:43:10 PM | Computer Name = UPSTAIRS | Source = NetDDE | ID = 206
Description = Listen failed: 15:


< End of report >

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:04 AM

Posted 02 April 2011 - 07:44 AM

Hi!

The main infection that you were infected with is called TDL4.

See the snippet of text below:

2011/04/01 22:18:33.0890 3136 Detected object count: 1
2011/04/01 22:18:39.0000 3136 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/01 22:18:39.0000 3136 \HardDisk0 - ok
2011/04/01 22:18:39.0000 3136 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/01 22:18:54.0171 2176 Deinitialize success


You can read more about this infection here:

Special thanks to quietman7 for providing the above links.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    MOD - [2008/04/13 21:12:08 | 000,266,240 | ---- | M] () -- C:\WINDOWS\epugezorijegozu.dll
    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    FF - prefs.js..network.proxy.type: 4
    [2011/03/23 11:02:54 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\OWNER.UPSTAIRS\LOCAL SETTINGS\APPLICATION DATA\{2E530208-EABB-4339-974D-1D7BC76B5371}
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKLM..\Run: [Glixi] C:\WINDOWS\epugezorijegozu.dll ()
    O4 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006..\Run: [A9YA3MI1CF] File not found
    O4 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006..\Run: [Spyware Doctor with AntiVirus] File not found
    O4 - HKU\S-1-5-21-2134941054-3092060347-210732259-1006..\Run: [TomTomHOME.exe] File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: fpact = C:\DOCUME~1\OWNER~1.UPS\LOCALS~1\Temp\zitui1.exe
    O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.118,93.188.160.158
    O33 - MountPoints2\{3d15974d-a952-11df-86fe-001676a39e2d}\Shell\AutoRun\command - "" = K:\InstallTomTomHOME.exe
    [2011/03/23 20:02:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\fCdEkNfNoGp05200
    [2011/03/23 11:02:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\{2E530208-EABB-4339-974D-1D7BC76B5371}
    [6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2011/04/01 22:32:00 | 000,000,294 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
    [2011/04/01 22:20:55 | 000,000,304 | -HS- | M] () -- C:\WINDOWS\tasks\Sqqjsmlav.job
    [2011/04/01 19:32:22 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Klulodovu.dat
    [2011/04/01 16:10:12 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Uvexuworuca.bin
    [2011/03/23 21:24:08 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
    [6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2011/03/23 21:24:08 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
    [2011/03/23 11:03:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Uvexuworuca.bin
    [2011/03/23 11:03:05 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Klulodovu.dat
    [2011/03/23 11:00:48 | 000,000,304 | -HS- | C] () -- C:\WINDOWS\tasks\Sqqjsmlav.job
    [2011/03/23 11:00:11 | 000,000,294 | -H-- | C] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Scanning with MalwareBytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

Edited by SweetTech, 02 April 2011 - 08:53 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 dreamtwister302

dreamtwister302
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 02 April 2011 - 08:33 AM

Just ran the OTL custom fix, and an error came up saying something like, could not create hosts files. and now it is stuck at Resetting hosts files. DO NOT INTERRUPT ...

I will keep it running until I see a reply, but if it does not fix itself is it okay to restart the machine? or is this something that just takes a long time to do?

thanks

#6 dreamtwister302

dreamtwister302
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 02 April 2011 - 08:40 AM

I believe the error message was "Cannot create file C:\Windows\System32\drivers\etc\Hosts"

#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:04 AM

Posted 02 April 2011 - 08:54 AM

If it is still stuck then please exit out of the OTL fix.

I've edited my previous fix to remove the instructions for resetting the host file, so you should be able to re-run the fix with no issues.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 dreamtwister302

dreamtwister302
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 02 April 2011 - 10:46 AM

So far the machine is working much better! after running the OTL fix and malware bytes, I could no longer connect to the internet. after changing to a static IP address it is working, and then went back to automatically detect IP address, and it is still working. weird how that happened, but, now i have no pop-ups, and no redirecting issues. Malwarebytes had to have antivirus definitions updated through the mbam-rules.exe file. My Kaspersky can finally download its virus definitions, and everything seems normal .here are the logs. thank you for the help!! anything else that you recommend?




All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Error: No service named HidServ was found to stop!
Service\Driver key HidServ not found.
Prefs.js: 4 removed from network.proxy.type
Folder C:\DOCUMENTS AND SETTINGS\OWNER.UPSTAIRS\LOCAL SETTINGS\APPLICATION DATA\{2E530208-EABB-4339-974D-1D7BC76B5371}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-2134941054-3092060347-210732259-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-2134941054-3092060347-210732259-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Glixi not found.
File C:\WINDOWS\epugezorijegozu.dll not found.
Registry value HKEY_USERS\S-1-5-21-2134941054-3092060347-210732259-1006\Software\Microsoft\Windows\CurrentVersion\Run\\A9YA3MI1CF not found.
Registry value HKEY_USERS\S-1-5-21-2134941054-3092060347-210732259-1006\Software\Microsoft\Windows\CurrentVersion\Run\\Spyware Doctor with AntiVirus not found.
Registry value HKEY_USERS\S-1-5-21-2134941054-3092060347-210732259-1006\Software\Microsoft\Windows\CurrentVersion\Run\\TomTomHOME.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\fpact not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3d15974d-a952-11df-86fe-001676a39e2d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3d15974d-a952-11df-86fe-001676a39e2d}\ not found.
File K:\InstallTomTomHOME.exe not found.
Folder C:\Documents and Settings\All Users\Application Data\fCdEkNfNoGp05200\ not found.
Folder C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\{2E530208-EABB-4339-974D-1D7BC76B5371}\ not found.
File/Folder C:\WINDOWS\System32\*.tmp not found.
File/Folder C:\WINDOWS\*.tmp not found.
File C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job not found.
File C:\WINDOWS\tasks\Sqqjsmlav.job not found.
File C:\WINDOWS\Klulodovu.dat not found.
File C:\WINDOWS\Uvexuworuca.bin not found.
File C:\fsqwr.bmp not found.
File/Folder C:\WINDOWS\System32\*.tmp not found.
File/Folder C:\WINDOWS\*.tmp not found.
File C:\fsqwr.bmp not found.
File C:\WINDOWS\Uvexuworuca.bin not found.
File C:\WINDOWS\Klulodovu.dat not found.
File C:\WINDOWS\tasks\Sqqjsmlav.job not found.
File C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job not found.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner.Upstairs\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner.Upstairs\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 314 bytes
->Temporary Internet Files folder emptied: 38632 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 33632 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 61633433 bytes
->Java cache emptied: 25469 bytes
->Flash cache emptied: 32838 bytes

User: Owner

User: Owner.Upstairs
->Temp folder emptied: 2118953212 bytes
->Temporary Internet Files folder emptied: 86848729 bytes
->Java cache emptied: 18111 bytes
->FireFox cache emptied: 57066301 bytes
->Flash cache emptied: 135223 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 801227601 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15299588 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 3067963580 bytes

Total Files Cleaned = 5,922.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owner

User: Owner.Upstairs
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04022011_105810

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...













Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6092

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

02/04/2011 11:32:04 AM
mbam-log-2011-04-02 (11-32-04).txt

Scan type: Quick scan
Objects scanned: 159173
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\VSRDert.dll (Trojan.Hiloti.Gen) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\A9YA3MI1CF (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sloboyiviyifani (Trojan.Hiloti.Gen) -> Value: Sloboyiviyifani -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A655E497-0379-48EC-8275-B095C2E271E9}\NameServer (Trojan.DNSChanger) -> Bad: (93.188.165.118,93.188.160.158) Good: () -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\VSRDert.dll (Trojan.Hiloti.Gen) -> Delete on reboot.
c:\WINDOWS\system32\spool\prtprocs\w32x86\x17wSK7.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\owner.upstairs\start menu\antimalware doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\comsats.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by dreamtwister302, 02 April 2011 - 10:48 AM.


#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:04 AM

Posted 02 April 2011 - 10:50 AM

Can you please see if you're able to update MBAM to the latest version now (without downloading the mbam rules file?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#10 dreamtwister302

dreamtwister302
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 02 April 2011 - 03:54 PM

MBAM updated successfully. ran a scan, here is the log.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6247

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

02/04/2011 5:35:58 PM
mbam-log-2011-04-02 (17-35-58).txt

Scan type: Quick scan
Objects scanned: 161489
Time elapsed: 25 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Z7HRPUZG3M (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:04 AM

Posted 02 April 2011 - 06:42 PM

You're doing great!

Lets see if these scans find anything:


ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:


Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 dreamtwister302

dreamtwister302
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 03 April 2011 - 06:12 AM

ESET Online scanner:

C:\_OTL\MovedFiles\04022011_100844\C_WINDOWS\epugezorijegozu.dll a variant of Win32/Cimag.GK trojan








Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.2.152.26
Adobe Reader 9.4.3
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.16) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Kaspersky Lab Kaspersky PURE avp.exe
Kaspersky Lab Kaspersky PURE klwtblfs.exe
``````````End of Log````````````

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:04 AM

Posted 03 April 2011 - 07:43 AM

Hi!

The file found by ESET is in quarantine and will be dealt with when we clean-up our tools later.

Java Outdated
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


NEXT



Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following bolded text into the Posted Image textbox.


    netsvcs
    drivers32
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 dreamtwister302

dreamtwister302
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 03 April 2011 - 10:06 AM

So far the computer's been running pretty smoothly. The only issue I see is I keep getting a Windows Security Alerts icon in my notifications, saying automatic updates is off. If i hit the turn on button it asks me to change it manually. If I go in there manually it sais it is on, but the notification doesn't leave.


OTL logfile created on: 03/04/2011 11:57:39 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner.Upstairs\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

894.00 Mb Total Physical Memory | 358.00 Mb Available Physical Memory | 40.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2560 2560 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.11 Gb Total Space | 46.80 Gb Free Space | 32.93% Space Free | Partition Type: NTFS
Drive D: | 6.93 Gb Total Space | 4.07 Gb Free Space | 58.78% Space Free | Partition Type: FAT32

Computer Name: UPSTAIRS | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/03 09:20:16 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/04/01 22:47:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.Upstairs\Desktop\OTL.exe
PRC - [2010/11/19 14:38:08 | 000,193,880 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
PRC - [2010/11/19 14:29:00 | 004,916,568 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2010/10/01 22:06:36 | 000,348,760 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe
PRC - [2010/04/09 00:44:08 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) -- C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
PRC - [2008/04/13 21:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/12/09 21:44:40 | 000,139,264 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Digital Media Reader\readericon45G.exe
PRC - [2004/12/08 20:57:36 | 000,550,912 | ---- | M] () -- C:\WINDOWS\zHotkey.exe
PRC - [2004/08/10 16:00:00 | 000,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\control.exe


========== Modules (SafeList) ==========

MOD - [2011/04/01 22:47:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.Upstairs\Desktop\OTL.exe
MOD - [2010/10/01 22:05:40 | 000,109,144 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\mzvkbd3.dll
MOD - [2010/10/01 22:05:34 | 000,018,008 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\kloehk.dll
MOD - [2010/08/23 13:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2001/07/02 23:36:30 | 000,024,576 | ---- | M] () -- C:\WINDOWS\HKNTDLL.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/03/01 09:59:14 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010/11/19 14:29:00 | 004,916,568 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2010/10/01 22:06:36 | 000,348,760 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe -- (AVP)
SRV - [2010/04/09 00:44:08 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2009/12/21 17:34:38 | 000,743,992 | ---- | M] (Infowatch) [Auto | Running] -- C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe -- (CSObjectsSrv)
SRV - [2008/08/17 05:40:50 | 000,217,088 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\PS3 Media Server\win32\service\wrapper.exe -- (PS3 Media Server)


========== Driver Services (SafeList) ==========

DRV - [2011/03/28 22:28:27 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/12/14 12:44:24 | 000,088,632 | ---- | M] (Infowatch) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\CSCrySec.sys -- (CSCrySec)
DRV - [2009/12/14 12:44:24 | 000,039,352 | ---- | M] (Infowatch) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\CSVirtualDiskDrv.sys -- (CSVirtualDiskDrv)
DRV - [2009/10/14 21:18:34 | 000,036,880 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\klbg.sys -- (KLBG)
DRV - [2009/10/02 19:39:44 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/09/14 14:42:46 | 000,032,272 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/09/01 15:29:50 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2009/02/24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/04/01 14:33:16 | 000,018,560 | ---- | M] (LeapFrog) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FlyUsb.sys -- (FlyUsb)
DRV - [2006/04/06 17:20:44 | 004,258,816 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/01/18 21:41:00 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/01/16 00:48:08 | 001,477,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/03/17 13:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 13:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 13:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/08/04 02:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/17 17:49:32 | 000,019,968 | ---- | M] (Macronix International Co., Ltd. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxnic.sys -- (mxnic)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_CA&Sys=DTP&M=H5048

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.1.0.124
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.100
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{2E530208-EABB-4339-974D-1D7BC76B5371}: C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\{2E530208-EABB-4339-974D-1D7BC76B5371}
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/03 09:20:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/03 09:20:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky PURE\THBExt [2011/03/28 22:30:11 | 000,000,000 | ---D | M]

[2010/08/17 12:23:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Extensions
[2010/08/16 13:22:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Extensions\home2@tomtom.com
[2010/08/17 12:23:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2011/04/03 09:20:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Profiles\2tq0aicp.default\extensions
[2010/09/20 07:41:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Profiles\2tq0aicp.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/03 08:52:25 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Profiles\2tq0aicp.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2011/04/03 09:20:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Profiles\2tq0aicp.default\extensions\nostmp
[2010/10/30 11:09:23 | 000,002,568 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Profiles\2tq0aicp.default\searchplugins\askcom.xml
[2011/04/03 08:52:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/19 21:34:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/15 17:43:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/15 16:10:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/04/03 08:49:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/03/28 22:32:17 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
File not found (No name found) --
[2010/04/19 21:33:39 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/04/03 09:20:15 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/04/03 09:20:21 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
[2010/07/17 09:13:02 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

Hosts file not found
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\bae.dll (Gateway Inc.)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky PURE\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [CHotkey] C:\WINDOWS\zHotkey.exe ()
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKCU..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe (NOS Microsystems Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm ()
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll (Kaspersky Lab)
O16 - DPF: {1DC4A509-9C17-4538-B5AA-DB0BA27ED400} http://magnava.ezwatchip.com:8000/liveview-htmlskin/WebViewS.cab (Hybrid WebView)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7AB229EC-3FEF-4ACE-8060-167ECD3F7A14} http://magnava.ezwatchip.com:8000/playback-htmlskin/WebRPB.cab (WebRPB Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky PURE\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky PURE\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner.Upstairs\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/17 22:40:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/04/03 09:06:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/04/03 08:52:28 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/04/02 21:17:06 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/02 11:10:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.Upstairs\Application Data\Malwarebytes
[2011/04/02 11:10:00 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/02 11:10:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/02 11:09:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/02 11:09:51 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/02 11:09:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/02 10:08:44 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/01 22:47:20 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.Upstairs\Desktop\OTL.exe
[2011/04/01 22:17:18 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner.Upstairs\Desktop\TDSSKiller.exe
[2011/03/28 22:31:06 | 000,039,352 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSVirtualDiskDrv.sys
[2011/03/28 22:31:01 | 000,088,632 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSCrySec.sys
[2011/03/28 22:29:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InfoWatch
[2011/03/28 22:29:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Kaspersky PURE
[2011/03/28 22:29:02 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2011/03/28 22:29:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2011/03/28 22:28:27 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2011/03/28 21:57:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2011/03/23 22:14:59 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/03/23 22:14:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/03/23 21:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/03/23 21:25:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/23 20:02:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\fCdEkNfNoGp05200
[2011/03/23 17:29:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/03/23 16:42:16 | 125,669,816 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Owner.Upstairs\Desktop\Ad-Aware90Install_2011-03-22.exe
[2011/03/23 16:25:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/03/23 16:25:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.Upstairs\Start Menu\Programs\HiJackThis
[2011/03/23 11:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/23 11:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/04 14:27:23 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Owner.Upstairs\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2011/04/03 11:08:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/03 09:07:20 | 000,001,770 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/04/03 08:08:02 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/02 17:47:29 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2134941054-3092060347-210732259-1006.job
[2011/04/02 17:47:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/02 17:47:24 | 937,062,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/02 16:48:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/04/02 13:25:46 | 000,114,243 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2011/04/02 13:25:45 | 000,097,859 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2011/04/02 11:10:00 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/01 22:47:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.Upstairs\Desktop\OTL.exe
[2011/04/01 19:36:05 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\dds.scr
[2011/04/01 19:34:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\defogger_reenable
[2011/04/01 17:11:24 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\housecall.guid.cache
[2011/04/01 16:49:42 | 000,002,465 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\HiJackThis.lnk
[2011/04/01 16:11:26 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/04/01 15:54:26 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/29 17:40:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/28 22:28:27 | 000,315,408 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2011/03/23 22:13:31 | 062,623,864 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\My Documents\setup_av_free.exe
[2011/03/23 16:42:33 | 125,669,816 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\Owner.Upstairs\Desktop\Ad-Aware90Install_2011-03-22.exe
[2011/03/21 19:36:20 | 000,098,304 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/20 17:07:56 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\gmer.exe
[2011/03/20 10:34:45 | 000,441,432 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/20 10:34:45 | 000,071,176 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/20 10:34:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/14 12:29:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2134941054-3092060347-210732259-1006.job
[2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner.Upstairs\Desktop\TDSSKiller.exe

========== Files Created - No Company Name ==========

[2011/04/03 09:20:38 | 000,000,766 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/04/03 09:07:20 | 000,001,770 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/04/03 09:07:19 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/04/02 11:10:00 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/01 19:58:14 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\gmer.exe
[2011/04/01 19:35:58 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\dds.scr
[2011/04/01 19:34:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\defogger_reenable
[2011/04/01 17:11:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\housecall.guid.cache
[2011/03/28 22:31:56 | 000,114,243 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2011/03/28 22:31:56 | 000,097,859 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2011/03/23 22:12:56 | 062,623,864 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\My Documents\setup_av_free.exe
[2011/03/23 20:52:26 | 937,062,400 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/23 16:25:52 | 000,002,465 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Desktop\HiJackThis.lnk
[2010/12/31 15:46:09 | 000,004,310 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2010/12/30 21:57:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\imblacklist.dat
[2010/12/30 13:39:16 | 000,997,057 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
[2010/11/15 07:53:31 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/18 17:18:35 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/10/18 16:59:14 | 000,022,016 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/02 01:45:27 | 000,000,287 | ---- | C] () -- C:\WINDOWS\game.ini
[2010/09/11 15:51:03 | 000,038,269 | ---- | C] () -- C:\WINDOWS\DIIUnin.dat
[2010/08/18 17:43:15 | 000,139,620 | ---- | C] () -- C:\WINDOWS\hpoins15.dat
[2010/08/18 17:43:15 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hpomdl15.dat
[2010/07/23 23:13:58 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/07/04 14:29:22 | 000,001,041 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Application Data\vso_ts_preview.xml
[2010/07/04 14:27:37 | 000,098,304 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/04 14:27:23 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Application Data\pcouffin.cat
[2010/07/04 14:27:23 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Application Data\pcouffin.inf
[2010/04/23 17:15:23 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Owner.Upstairs\Local Settings\Application Data\fusioncache.dat
[2010/04/09 02:20:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/09 01:00:04 | 000,550,912 | ---- | C] () -- C:\WINDOWS\zHotkey.exe
[2010/04/09 01:00:04 | 000,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2010/04/09 01:00:04 | 000,042,040 | ---- | C] () -- C:\WINDOWS\PatchWnd.exe
[2010/04/09 01:00:04 | 000,036,864 | ---- | C] () -- C:\WINDOWS\ShowWnd.exe
[2010/04/09 01:00:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2010/04/09 01:00:04 | 000,011,776 | ---- | C] () -- C:\WINDOWS\HIDMNT.dll
[2010/04/09 00:59:41 | 000,000,004 | ---- | C] () -- C:\WINDOWS\Pix11.dat
[2010/04/09 00:58:37 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2010/04/09 00:58:37 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/04/09 00:54:51 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2009/09/09 19:01:40 | 000,027,675 | ---- | C] () -- C:\WINDOWS\System32\drivers\klopp.dat
[2009/01/05 16:44:10 | 000,053,248 | ---- | C] () -- C:\WINDOWS\bdoscandel.exe
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2007/01/31 14:50:32 | 000,913,408 | ---- | C] () -- C:\WINDOWS\System32\xreglib.dll
[2006/08/09 18:16:03 | 000,112,421 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/08/19 16:13:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/19 15:25:24 | 000,352,256 | ---- | C] () -- C:\WINDOWS\System32\HotlineClient.exe
[2005/08/17 22:45:05 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/17 22:34:51 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/17 22:17:08 | 000,001,478 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/08/17 22:17:08 | 000,000,495 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/08/17 22:16:18 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/17 22:16:14 | 000,441,432 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/17 22:16:14 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/17 22:16:14 | 000,071,176 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/17 22:16:14 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/17 22:16:13 | 000,005,151 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/17 22:16:11 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/17 22:16:09 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/17 22:16:01 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/17 22:16:01 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/17 22:15:55 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/17 22:15:46 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/17 15:28:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/17 15:27:22 | 000,182,632 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/06 01:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

========== LOP Check ==========

[2011/04/01 16:11:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2010/04/09 07:32:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011/03/28 21:16:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fCdEkNfNoGp05200
[2011/01/01 16:44:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2010/04/09 14:20:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/10/22 19:32:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickMediaConverter
[2010/08/16 13:23:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2010/04/09 01:51:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2010/12/31 15:44:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
[2010/10/22 19:31:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\CocoonSoftware
[2010/04/09 07:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\ESET
[2011/02/19 10:29:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\FrostWire
[2011/01/01 12:13:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\NUUO
[2010/12/30 13:43:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\QuickScan
[2010/04/09 01:31:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\SampleView
[2010/08/16 13:22:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\TomTom
[2011/03/20 08:24:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\uTorrent
[2010/11/17 18:14:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\Vso
[2010/11/14 21:04:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.Upstairs\Application Data\Xilisoft
[2011/04/02 16:48:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< End of report >

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:04 AM

Posted 03 April 2011 - 10:19 AM

That's weird.

Open up OTL and click on None.

Go to Extra Registry and select All.

Click on Run Scan.

Post the log it produces back (Extras.txt)

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users