Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit TDLR@MBR


  • This topic is locked This topic is locked
24 replies to this topic

#1 EAB

EAB

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 10 April 2011 - 02:12 PM

Thank-you for providing this invaluble service! If donations help maintain your servers I will happily contribute. I am running XP 32 bit home edition 2002, service pack 3, Pentium 4 CPU 2.60 GHz, 2.5 GB RAM.

About a week ago the XP Security Centre virus appeared and completely hijacked Explorer. Using a separate clean laptop we followed a post on Bleepingcomputer and downloaded/ran rkill then AVG anti-virus 2011. This seemed to finally get rid of XP Security Centre after a few rounds of rkill/AVG but there is still a google redirect thing going on from Explorer or Firefox. (Firefox was downloaded and installed from clean computer after the problem started) and, Windows update can't run from either browser or the Start menu. The error code 0x80072EFF comes up. The last Windows update installed was 12/17/2010. I used the free AVG PC tuneup which found and removed >9500 old files. I also installed and ran MalwareBytes which found and removed 51 problems that AVG had not found or which were new since the AVG scan. The google redirect and failure to update Windows still exist.

I followed your instructions to post a malware removal topic;

1-When I tried to check the Windows firewall setting the message "windows firewall settings cannot be displayed becuase the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) Service/" I said no since I wasn't sure what it meant.

2- I downloaded and ran DDS and GMer; below are the logs and I've attached the DDS file asked for;

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Heather at 13:35:55.34 on Sun 04/10/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2010 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Heather\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/



GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-10 14:38:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6Y080L0 rev.YAR41BW0
Running: gmer.exe; Driver: C:\DOCUME~1\Heather\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAD4E46C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xAD4E4770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAD4E4810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAD4E48B0]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Heather\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1244] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0094000A
.text C:\WINDOWS\System32\svchost.exe[1244] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0095000A
.text C:\WINDOWS\System32\svchost.exe[1244] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0093000C
.text C:\WINDOWS\System32\svchost.exe[1244] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01B1000A
.text C:\WINDOWS\System32\svchost.exe[1244] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 01B2000A
.text C:\WINDOWS\System32\svchost.exe[1244] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 01B3000A
.text C:\WINDOWS\System32\svchost.exe[1244] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00B3000A
.text C:\WINDOWS\Explorer.EXE[1472] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C6000A
.text C:\WINDOWS\Explorer.EXE[1472] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[1472] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C2000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A63027F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A63027F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A63027F

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y080L0__________________________YAR41BW0#32593435465a4536202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 10 April 2011 - 02:24 PM

:welcome: to BC!

Let's get rid of the MBR Rootkit first.


Step 1.
TDSSKiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
DDS:

Please rerun DDS and post the content of DDS.txt. (Please post the complete log this time as the last one was cut off.)


Step 3.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller in step 1.
  • The content of DDS.txt from step 2.
  • Information on how your computer is running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 EAB

EAB
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 10 April 2011 - 02:53 PM

hi heir, thanks for your very fast reply.
TDSS Killer did find something and required a reboot (on reboot the Windows update symbol appear in the tray!) I did not click on it yet..

Here is the log from TDSS, sorry I cut off DSS log, I will rerun it now and post the log next...

2011/04/10 15:28:21.0953 0688 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/10 15:28:22.0265 0688 ================================================================================
2011/04/10 15:28:22.0265 0688 SystemInfo:
2011/04/10 15:28:22.0265 0688
2011/04/10 15:28:22.0265 0688 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/10 15:28:22.0265 0688 Product type: Workstation
2011/04/10 15:28:22.0265 0688 ComputerName: SAM
2011/04/10 15:28:22.0265 0688 UserName: Heather
2011/04/10 15:28:22.0265 0688 Windows directory: C:\WINDOWS
2011/04/10 15:28:22.0265 0688 System windows directory: C:\WINDOWS
2011/04/10 15:28:22.0265 0688 Processor architecture: Intel x86
2011/04/10 15:28:22.0265 0688 Number of processors: 1
2011/04/10 15:28:22.0265 0688 Page size: 0x1000
2011/04/10 15:28:22.0265 0688 Boot type: Normal boot
2011/04/10 15:28:22.0265 0688 ================================================================================
2011/04/10 15:28:22.0468 0688 Initialize success
2011/04/10 15:28:35.0671 2860 ================================================================================
2011/04/10 15:28:35.0671 2860 Scan started
2011/04/10 15:28:35.0671 2860 Mode: Manual;
2011/04/10 15:28:35.0671 2860 ================================================================================
2011/04/10 15:28:36.0843 2860 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
2011/04/10 15:28:36.0984 2860 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/10 15:28:37.0140 2860 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/10 15:28:37.0296 2860 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
2011/04/10 15:28:37.0421 2860 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/04/10 15:28:37.0578 2860 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/10 15:28:37.0718 2860 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/10 15:28:37.0843 2860 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
2011/04/10 15:28:38.0000 2860 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
2011/04/10 15:28:38.0125 2860 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
2011/04/10 15:28:38.0250 2860 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
2011/04/10 15:28:38.0390 2860 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
2011/04/10 15:28:38.0500 2860 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
2011/04/10 15:28:38.0625 2860 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
2011/04/10 15:28:38.0781 2860 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
2011/04/10 15:28:38.0921 2860 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
2011/04/10 15:28:39.0078 2860 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
2011/04/10 15:28:39.0187 2860 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
2011/04/10 15:28:39.0312 2860 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
2011/04/10 15:28:39.0437 2860 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/04/10 15:28:39.0593 2860 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/10 15:28:39.0750 2860 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/10 15:28:40.0000 2860 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/10 15:28:40.0140 2860 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/10 15:28:40.0281 2860 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/04/10 15:28:40.0453 2860 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/04/10 15:28:40.0593 2860 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/04/10 15:28:40.0750 2860 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/04/10 15:28:40.0859 2860 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/04/10 15:28:41.0000 2860 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/04/10 15:28:41.0078 2860 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/04/10 15:28:41.0203 2860 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/04/10 15:28:41.0343 2860 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/10 15:28:41.0484 2860 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
2011/04/10 15:28:41.0609 2860 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/10 15:28:41.0750 2860 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/10 15:28:41.0828 2860 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
2011/04/10 15:28:41.0937 2860 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/10 15:28:42.0078 2860 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/10 15:28:42.0218 2860 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/04/10 15:28:42.0312 2860 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/04/10 15:28:42.0437 2860 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/10 15:28:42.0578 2860 cdudf_XP (ea7f68e26578e775fd5c1ad435a1655a) C:\WINDOWS\system32\drivers\cdudf_XP.sys
2011/04/10 15:28:42.0796 2860 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
2011/04/10 15:28:42.0921 2860 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
2011/04/10 15:28:43.0031 2860 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
2011/04/10 15:28:43.0140 2860 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
2011/04/10 15:28:43.0296 2860 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/10 15:28:43.0453 2860 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/10 15:28:43.0625 2860 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/10 15:28:43.0718 2860 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/10 15:28:43.0828 2860 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/10 15:28:43.0921 2860 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
2011/04/10 15:28:44.0031 2860 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/10 15:28:44.0125 2860 drvmcdb (7f056a52bcba3102d2d37a4a2646c807) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/04/10 15:28:44.0265 2860 drvnddm (d3c1e501ed42e77574b3095309dd4075) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/04/10 15:28:44.0453 2860 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2011/04/10 15:28:44.0593 2860 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2011/04/10 15:28:44.0750 2860 dvd_2K (4bbe1395eb7dddbc637ce1c2e4df073a) C:\WINDOWS\system32\drivers\dvd_2K.sys
2011/04/10 15:28:44.0843 2860 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/04/10 15:28:45.0062 2860 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/04/10 15:28:45.0218 2860 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/10 15:28:45.0359 2860 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/10 15:28:45.0515 2860 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/10 15:28:45.0640 2860 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/10 15:28:45.0796 2860 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/10 15:28:45.0906 2860 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/04/10 15:28:45.0984 2860 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/10 15:28:46.0078 2860 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/10 15:28:46.0187 2860 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/04/10 15:28:46.0328 2860 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/10 15:28:46.0468 2860 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/10 15:28:46.0562 2860 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
2011/04/10 15:28:46.0656 2860 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/10 15:28:46.0812 2860 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/04/10 15:28:46.0968 2860 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
2011/04/10 15:28:47.0093 2860 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/10 15:28:47.0234 2860 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/04/10 15:28:47.0375 2860 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/04/10 15:28:47.0484 2860 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/04/10 15:28:47.0609 2860 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/04/10 15:28:47.0750 2860 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/04/10 15:28:47.0875 2860 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/04/10 15:28:47.0984 2860 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/04/10 15:28:48.0125 2860 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/04/10 15:28:48.0375 2860 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/04/10 15:28:48.0515 2860 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/04/10 15:28:48.0671 2860 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
2011/04/10 15:28:48.0843 2860 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
2011/04/10 15:28:48.0984 2860 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
2011/04/10 15:28:49.0125 2860 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/10 15:28:49.0265 2860 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/10 15:28:49.0359 2860 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/10 15:28:49.0515 2860 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/10 15:28:49.0640 2860 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/10 15:28:49.0812 2860 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/10 15:28:49.0937 2860 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/10 15:28:50.0078 2860 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/10 15:28:50.0218 2860 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/10 15:28:50.0312 2860 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/10 15:28:50.0437 2860 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/10 15:28:50.0671 2860 mmc_2K (3e9f80e333ffe5b6aade9fdec623f1fe) C:\WINDOWS\system32\drivers\mmc_2K.sys
2011/04/10 15:28:50.0812 2860 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/10 15:28:50.0937 2860 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/10 15:28:51.0078 2860 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/10 15:28:51.0218 2860 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/10 15:28:51.0328 2860 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/10 15:28:51.0421 2860 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
2011/04/10 15:28:51.0546 2860 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/10 15:28:51.0687 2860 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/10 15:28:51.0875 2860 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/10 15:28:51.0984 2860 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/10 15:28:52.0078 2860 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/10 15:28:52.0171 2860 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/10 15:28:52.0265 2860 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/10 15:28:52.0359 2860 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/10 15:28:52.0468 2860 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/10 15:28:52.0578 2860 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/10 15:28:52.0687 2860 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/10 15:28:52.0796 2860 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/10 15:28:52.0921 2860 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/10 15:28:53.0015 2860 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/10 15:28:53.0109 2860 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/10 15:28:53.0203 2860 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/10 15:28:53.0296 2860 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/10 15:28:53.0421 2860 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/10 15:28:53.0562 2860 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/10 15:28:53.0671 2860 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/10 15:28:53.0812 2860 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/10 15:28:53.0953 2860 nv (5d701fca6f7db7a8a7d21f80a84d291a) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/10 15:28:54.0125 2860 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/10 15:28:54.0265 2860 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/10 15:28:54.0375 2860 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/04/10 15:28:54.0500 2860 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/04/10 15:28:54.0718 2860 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/10 15:28:55.0062 2860 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/10 15:28:55.0609 2860 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/10 15:28:56.0312 2860 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/10 15:28:57.0640 2860 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/10 15:28:58.0312 2860 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/10 15:29:01.0062 2860 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
2011/04/10 15:29:01.0703 2860 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
2011/04/10 15:29:02.0171 2860 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/10 15:29:02.0781 2860 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/10 15:29:03.0312 2860 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/10 15:29:04.0265 2860 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
2011/04/10 15:29:05.0375 2860 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/10 15:29:06.0125 2860 Pwd_2k (1c1ebef8af3a98de2749ebea323ac45f) C:\WINDOWS\system32\drivers\Pwd_2k.sys
2011/04/10 15:29:06.0890 2860 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/10 15:29:07.0562 2860 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
2011/04/10 15:29:08.0218 2860 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
2011/04/10 15:29:08.0953 2860 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
2011/04/10 15:29:09.0625 2860 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
2011/04/10 15:29:10.0375 2860 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
2011/04/10 15:29:11.0140 2860 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/10 15:29:11.0828 2860 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/10 15:29:12.0640 2860 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/10 15:29:14.0234 2860 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/10 15:29:14.0875 2860 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/10 15:29:15.0531 2860 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/10 15:29:16.0125 2860 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/10 15:29:16.0859 2860 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/10 15:29:17.0593 2860 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/10 15:29:18.0296 2860 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/10 15:29:19.0031 2860 Ser2pl (6ce397c482bede91a38e56a8c4a0dc6d) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
2011/04/10 15:29:19.0671 2860 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/10 15:29:20.0328 2860 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/10 15:29:20.0984 2860 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/10 15:29:22.0078 2860 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
2011/04/10 15:29:22.0750 2860 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/10 15:29:23.0453 2860 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
2011/04/10 15:29:24.0343 2860 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
2011/04/10 15:29:25.0109 2860 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/10 15:29:26.0015 2860 SQTECH905C (80bba4f191ad76ef2d31dab9162d3fae) C:\WINDOWS\system32\Drivers\Capt905c.sys
2011/04/10 15:29:26.0859 2860 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
2011/04/10 15:29:27.0906 2860 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/10 15:29:29.0281 2860 sscdbhk5 (328e8bb94ec58480f60458fb4b8437a7) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/04/10 15:29:30.0218 2860 ssrtln (7ec8b427cee5c0cdac066320b93f1355) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/04/10 15:29:31.0046 2860 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/10 15:29:31.0906 2860 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/10 15:29:32.0781 2860 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/10 15:29:33.0812 2860 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
2011/04/10 15:29:34.0781 2860 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
2011/04/10 15:29:35.0765 2860 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
2011/04/10 15:29:36.0671 2860 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
2011/04/10 15:29:37.0468 2860 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/10 15:29:38.0437 2860 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/10 15:29:39.0609 2860 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/10 15:29:40.0500 2860 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/10 15:29:41.0468 2860 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/10 15:29:42.0375 2860 tfsnboio (c229bf90443be8d3bd2b65d7f3ac0f35) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/04/10 15:29:43.0265 2860 tfsncofs (79ee9fcd7728e54ab8fbc30962f0416f) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/04/10 15:29:44.0234 2860 tfsndrct (9efb37e7de17d783a059b653f7e8afad) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/04/10 15:29:45.0062 2860 tfsndres (130254995ebedcb34d62e8d78ec9dbd0) C:\WINDOWS\system32\dla\tfsndres.sys
2011/04/10 15:29:45.0953 2860 tfsnifs (9b40e1e4aeed849812a2e43a388a7e77) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/04/10 15:29:46.0859 2860 tfsnopio (818047ad850b312705aa17ca96b9427d) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/04/10 15:29:47.0796 2860 tfsnpool (4603e813bcc6dd465cd8d2afd37fa90d) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/04/10 15:29:48.0828 2860 tfsnudf (6fc2cd904a9a55acfdfc780a611a75ed) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/04/10 15:29:49.0796 2860 tfsnudfa (d4afa4d00f8db3fd1c15b3fe49c3a96c) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/04/10 15:29:50.0734 2860 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
2011/04/10 15:29:51.0609 2860 UdfReadr_xp (5f42cfd09030af449ab7306bae429fb7) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
2011/04/10 15:29:52.0640 2860 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/10 15:29:53.0656 2860 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
2011/04/10 15:29:54.0640 2860 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/10 15:29:55.0843 2860 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/04/10 15:29:56.0765 2860 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/10 15:29:57.0609 2860 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/10 15:29:58.0437 2860 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/10 15:29:59.0281 2860 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/10 15:30:00.0218 2860 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/10 15:30:01.0078 2860 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/10 15:30:01.0953 2860 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/10 15:30:02.0796 2860 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/10 15:30:03.0656 2860 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
2011/04/10 15:30:05.0125 2860 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
2011/04/10 15:30:05.0984 2860 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/10 15:30:06.0578 2860 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/10 15:30:07.0796 2860 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/10 15:30:08.0578 2860 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/10 15:30:09.0031 2860 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/10 15:30:09.0656 2860 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/10 15:30:09.0750 2860 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/10 15:30:09.0765 2860 ================================================================================
2011/04/10 15:30:09.0765 2860 Scan finished
2011/04/10 15:30:09.0765 2860 ================================================================================
2011/04/10 15:30:09.0796 3276 Detected object count: 1
2011/04/10 15:30:24.0500 3276 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/10 15:30:24.0500 3276 \HardDisk0 - ok
2011/04/10 15:30:24.0500 3276 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/10 15:30:31.0343 0492 Deinitialize success

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 10 April 2011 - 02:54 PM

(on reboot the Windows update symbol appear in the tray!) I did not click on it yet..

And don't yet until we've removed the malware.


And the DDS.txt ?

Edited by heir, 10 April 2011 - 02:55 PM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 EAB

EAB
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 10 April 2011 - 02:58 PM

Here is the second DDS run results:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Heather at 15:52:26.40 on Sun 04/10/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1921 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
svchost.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Heather\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dellnet.com
uWindow Title = Microsoft Internet Explorer provided by Sympatico
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {11111111-1111-1111-1111-114551263637} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f22776.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://iportal.sickkids.ca/InternalSite/WhlCompMgr.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37915.6379976852
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://blacks.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/plugins/activex/YoYo.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: {B5A80762-009E-43A6-97C6-E6DFA084D4F6} = 207.164.234.193 207.164.234.129
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll schannel.dll digest.dll msnsspc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\heather\applic~1\mozilla\firefox\profiles\default.4hy\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-1-29 54752]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\uagqecsvc.exe [2010-12-26 149904]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 DMService;Whale Component Manager;c:\windows\downloaded program files\dm.0\dmservice.exe --> c:\windows\downloaded program files\dm.0\DMService.exe [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2002-8-29 14336]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-04-09 11:34:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 11:34:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 14:54:56 -------- d-----w- c:\docume~1\heather\applic~1\AVG
2011-04-05 23:41:21 -------- d-sh--w- C:\found.000
2011-04-05 01:31:50 -------- d-----w- c:\docume~1\heather\locals~1\applic~1\Secunia PSI
2011-04-05 01:31:18 -------- d-----w- c:\program files\Secunia
2011-04-05 00:41:00 -------- d-----w- c:\documents and settings\heather\Forefront UAG Remote Access Agent
2011-04-04 21:44:19 -------- d--h--w- C:\$AVG
2011-04-04 21:29:34 -------- d-----w- c:\docume~1\heather\applic~1\AVG10
2011-04-04 21:10:59 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-04-04 20:50:52 -------- d-----w- c:\windows\system32\drivers\AVG
2011-04-04 20:50:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-04-04 20:49:33 -------- d-----w- c:\program files\AVG
2011-04-04 20:43:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-04-04 20:35:53 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-04 20:35:51 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-04 20:35:51 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-04 20:35:51 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-04 20:35:51 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-04 20:35:51 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-04 20:35:51 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-04 20:35:51 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-03 21:13:38 0 ----a-w- c:\windows\Ucifu.bin
2011-04-03 21:13:35 -------- d-----w- c:\docume~1\heather\locals~1\applic~1\{E03760F7-937E-4127-BF9D-45E3B9DBA4D3}
2011-04-03 21:12:11 91136 --sha-r- c:\windows\system32\WOWFAXUIJ.dll
2011-03-28 00:35:53 -------- d-----w- c:\docume~1\heather\applic~1\.minecraft
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ------w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ------w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2005-09-05 05:12:54 369896 ----a-w- c:\program files\WindowsXP-KB888240-x86-ENU.exe
2005-09-05 05:08:02 491768 ----a-w- c:\program files\ie6setup.exe
2005-09-05 04:24:50 7936144 ----a-w- c:\program files\DX81NTeng.exe
2005-09-05 03:51:56 214235269 ----a-w- c:\program files\MSSetup.exe
.
============= FINISH: 15:54:09.31 ===============

Attached Files



#6 EAB

EAB
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 10 April 2011 - 03:16 PM

Aside from the Windows Update icon in the tray, other changes are that the redirect seems to be gone. I can go to microsoft update from a Google search and not be redirected like before. Still have not clicked on the update icon like you suggest-
EAB

#7 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 10 April 2011 - 03:17 PM

Looking better.

Step 1.
Clean temp locations:

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2.
Scan with MBAM:

  • Launch Malwarebytes' Anti-Malware
  • Update Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with Kaspersky Online Scanner:

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Upgrading Java:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 24 .
  • Click the JDK 6 Update 24 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u24-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u24-windows-i586.exe and select "Run as an Administrator.")

Step 4.
Things I would like to see in your reply:

  • The content of the report from MBAM from Step 2.
  • The content of the report from Kaspersky Online Scanner from Step 3.
  • Information on how your computer is running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#8 EAB

EAB
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 10 April 2011 - 05:55 PM

Hi heir, sorry for the delay, Malwarebytes scan looked good and is below. Updated Java as advised and ran Kaspersky- the first time it updated databases for 15-20 minutes but then stopped with an error message of an internet interuption and to restart it from the website. Everytime I run it from the website now an error comes up nearly right away -'Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again form the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uniteruppted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired].

I disabled AVG antivirus after this problem started and it made no difference. Should I uninstall it?
Thanks for help so far,
EAB

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6327

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/10/2011 4:35:45 PM
mbam-log-2011-04-10 (16-35-45).txt

Scan type: Quick scan
Objects scanned: 147778
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 10 April 2011 - 06:08 PM

Let's use another Online Scanner

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#10 EAB

EAB
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 10 April 2011 - 07:47 PM

Eset ran with no problem and found no issues (log below)! I have not browsed much but so far have had no redirects when I try to access any Microsoft or anti-malware/virus sites like before. Do you think everything is fine now-can I update Windows?

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=61c6f5269fded6438f9bddd92a431784
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-11 12:43:08
# local_time=2011-04-10 08:43:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1032 16777213 100 97 0 45539122 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=76922
# found=0
# cleaned=0
# scan_time=3212

#11 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 11 April 2011 - 01:28 AM

We are almost there. There are some lines missing in some logs.

Please do this.

Step 1.
Securitycheck:

Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 2.
OTL:

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, tick the box beside Scan All Users at the top.
  • Underneath Output at the top set it to Standard Output.
  • Underneath the option Extra Registry set it to Use SafeList.
  • Underneath the option File Scans tick the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
  • Click the Run Scan button. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 3.
Things I would like to see in your reply:

  • The content of checkup.txt from step 1.
  • The content of OTL.txt and Extras.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#12 EAB

EAB
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 11 April 2011 - 09:39 AM

Thanks very much, I'm still with you but can't do the next steps until later today-will post results then. Meanwhile- could you please comment on my Windows Firewall issue; when I try to check that its on I get this message: "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) Service/". Is this a cause for concern or should I just start the ICS Service (or wait until we are finished the clean-up)?
Thanks again- EAB

#13 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 11 April 2011 - 03:21 PM

It should be safe to start the service now.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#14 EAB

EAB
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 11 April 2011 - 06:32 PM

Here are the results of Securty Check and OTL:

Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
AVG 2011
AVG PC Tuneup 2011
AVG 2011
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
AVG PC Tuneup 2011
Java™ 6 Update 24
Adobe Flash Player 9.0.289.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 9
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-GB..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


OTL logfile created on: 4/11/2011 7:19:36 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Heather\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 33.80 Gb Free Space | 45.38% Space Free | Partition Type: NTFS

Computer Name: SAM | User Name: Heather | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: Off | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/11 18:59:07 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Heather\Desktop\OTL.exe
PRC - [2011/01/10 10:24:20 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2011/01/10 10:24:20 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2011/01/10 10:24:20 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2011/01/07 01:22:54 | 002,747,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2011/01/07 01:22:44 | 001,084,256 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2011/01/07 01:22:12 | 001,052,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe
PRC - [2011/01/06 15:23:20 | 000,737,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/01/06 15:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/12/05 16:26:40 | 000,654,176 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2010/12/05 16:26:12 | 000,650,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/10/22 04:56:58 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2010/10/22 04:56:48 | 000,745,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgam.exe
PRC - [2010/04/09 00:53:33 | 000,149,904 | ---- | M] (Microsoft ® Corporation) -- C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/10 15:12:44 | 000,069,632 | ---- | M] (Software 2000 Limited) -- C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HP1006MC.EXE
PRC - [2006/07/25 02:01:00 | 000,114,688 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Sonic Shared\CineTray.exe
PRC - [2003/10/14 23:55:48 | 000,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2001/11/27 09:10:00 | 000,106,560 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\WinZip\WZQKPICK.EXE


========== Modules (SafeList) ==========

MOD - [2011/04/11 18:59:07 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Heather\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (DMService)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/01/10 10:24:20 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011/01/10 10:24:20 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2011/01/06 15:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/09/01 15:52:56 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010/04/09 00:53:33 | 000,149,904 | ---- | M] (Microsoft ® Corporation) [Auto | Running] -- C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe -- (uagqecsvc)
SRV - [2008/12/01 11:59:52 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2003/03/03 14:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2010/12/08 04:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/12 13:19:38 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/13 15:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/09/01 04:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\psi_mf.sys -- (PSI)
DRV - [2010/08/03 15:23:36 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/08/03 15:23:34 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/03 15:23:32 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2009/08/05 23:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\fssfltr_tdi.sys -- (fssfltr)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/10/04 22:42:42 | 000,002,560 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2006/10/04 22:42:42 | 000,002,432 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2005/07/13 12:08:20 | 000,033,890 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Capt905c.sys -- (SQTECH905C)
DRV - [2004/08/04 01:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/04 01:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/04 01:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/04 01:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/04 01:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/04 01:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/04 01:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/04 01:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/04 01:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/04 01:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/06/28 11:08:56 | 000,042,752 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ser2pl.sys -- (Ser2pl)
DRV - [2003/10/26 22:49:15 | 000,233,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_XP)
DRV - [2003/10/26 22:49:15 | 000,206,080 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/10/26 22:49:15 | 000,103,206 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\Pwd_2k.sys -- (Pwd_2k)
DRV - [2003/10/26 22:49:15 | 000,024,918 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\mmc_2k.sys -- (mmc_2K)
DRV - [2003/10/26 22:49:15 | 000,024,118 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\dvd_2k.sys -- (dvd_2K)
DRV - [2003/10/14 23:55:51 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{E03760F7-937E-4127-BF9D-45E3B9DBA4D3}: C:\Documents and Settings\Heather\Local Settings\Application Data\{E03760F7-937E-4127-BF9D-45E3B9DBA4D3}\ [2011/04/03 17:13:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/04/04 17:04:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/04 21:51:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/04 21:51:43 | 000,000,000 | ---D | M]

[2010/09/11 08:42:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Heather\Application Data\Mozilla\Extensions
[2011/04/05 20:51:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\default.4hy\extensions
[2010/09/12 15:25:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\default.4hy\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2004/09/08 20:44:15 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\default.4hy\extensions\{641d8d09-7dda-4850-8228-ac0ab65e2ac9}
[2004/09/08 20:44:15 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\default.4hy\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2011/04/05 20:51:20 | 000,000,000 | ---D | M] (Canadian English Dictionary) -- C:\Documents and Settings\Heather\Application Data\Mozilla\Firefox\Profiles\default.4hy\extensions\en-CA@dictionaries.addons.mozilla.org
[2011/04/10 18:02:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2004/09/08 21:10:28 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\Program Files\Mozilla Firefox\extensions\{641d8d09-7dda-4850-8228-ac0ab65e2ac9}
[2010/05/21 20:34:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/14 10:34:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/14 13:54:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/04/10 18:02:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2004/09/08 20:43:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\defaults\profile\extensions
[2004/09/08 20:43:57 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\Program Files\Mozilla Firefox\defaults\profile\extensions\{641d8d09-7dda-4850-8228-ac0ab65e2ac9}
[2004/09/08 20:43:57 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Program Files\Mozilla Firefox\defaults\profile\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2011/03/18 13:57:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2004/08/04 14:28:00 | 000,053,349 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2004/08/04 14:29:00 | 000,061,535 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2004/08/04 14:28:00 | 000,168,039 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2011/04/10 18:02:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2003/11/18 13:37:32 | 000,241,664 | ---- | M] (Musicnotes, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npmusicn.dll
[2004/01/13 22:09:25 | 000,176,176 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
[2010/01/01 04:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
[2010/01/01 04:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 04:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2004/08/04 14:28:00 | 000,001,076 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.gif
[2004/08/04 14:28:00 | 000,000,728 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.src
[2010/01/01 04:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

Hosts file not found
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe (Sonic Solutions)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\..Trusted Domains: microsoft.com ([.update] http in Trusted sites)
O15 - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\..Trusted Domains: microsoft.com ([.update] https in Trusted sites)
O15 - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\..Trusted Domains: microsoft.com ([update] http in Trusted sites)
O15 - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\..Trusted Domains: microsoft.com ([update] https in Trusted sites)
O15 - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\..Trusted Domains: microsoft.com ([windowsupdate] http in Trusted sites)
O15 - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O15 - HKU\S-1-5-21-2964962961-2529405911-1854799536-1007\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O16 - DPF: {11111111-1111-1111-1111-114551263637} mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f22776.exe (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} https://iportal.sickkids.ca/InternalSite/WhlCompMgr.cab (Forefront UAG endpoint components)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37915.6379976852 (Reg Error: Key error.)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://blacks.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} http://www.yoyogames.com/plugins/activex/YoYo.cab (YYGInstantPlay Control)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Filter\text/html {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\System32\NavLogon.dll - C:\WINDOWS\SYSTEM32\NavLogon.dll ()
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/Heather/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Heather\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Heather\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 09:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5d5fb156-3604-11dc-9a85-0007e9498087}\Shell - "" = AutoRun
O33 - MountPoints2\{5d5fb156-3604-11dc-9a85-0007e9498087}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5d5fb156-3604-11dc-9a85-0007e9498087}\Shell\AutoRun\command - "" = E:\LaunchU3.exe
O33 - MountPoints2\{8d9d632a-2d21-11de-9d8c-0007e9498087}\Shell\AutoRun\command - "" = E:\9nwep.bat
O33 - MountPoints2\{8d9d632a-2d21-11de-9d8c-0007e9498087}\Shell\open\Command - "" = E:\9nwep.bat
O33 - MountPoints2\{a14040f2-ee1c-11de-9eec-0007e9498087}\Shell\AutoRun\command - "" = E:\sdvnon.com
O33 - MountPoints2\{a14040f2-ee1c-11de-9eec-0007e9498087}\Shell\open\Command - "" = E:\sdvnon.com
O33 - MountPoints2\{a63ab12d-0780-11e0-9d15-0007e9498087}\Shell - "" = AutoRun
O33 - MountPoints2\{a63ab12d-0780-11e0-9d15-0007e9498087}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a63ab12d-0780-11e0-9d15-0007e9498087}\Shell\AutoRun\command - "" = E:\interface.exe
O33 - MountPoints2\{bbee548c-3e6e-11df-9faa-0007e9498087}\Shell\AutoRun\command - "" = E:\Autorun.exe /run
O33 - MountPoints2\{bbee548c-3e6e-11df-9faa-0007e9498087}\Shell\Shell00\Command - "" = E:\Autorun.exe /run
O33 - MountPoints2\{bbee548c-3e6e-11df-9faa-0007e9498087}\Shell\Shell01\Command - "" = E:\Autorun.exe /action
O33 - MountPoints2\{bbee548c-3e6e-11df-9faa-0007e9498087}\Shell\Shell02\Command - "" = E:\Autorun.exe /uninstall
O33 - MountPoints2\{c6016604-ec11-11dd-9d0c-0007e9498087}\Shell\AutoRun\command - "" = E:\sdvnon.com
O33 - MountPoints2\{c6016604-ec11-11dd-9d0c-0007e9498087}\Shell\open\Command - "" = E:\sdvnon.com
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/11 18:59:07 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Heather\Desktop\OTL.exe
[2011/04/10 19:46:43 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/10 18:02:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/04/10 16:19:18 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Heather\Desktop\TFC.exe
[2011/04/10 15:27:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather\Desktop\TDSS
[2011/04/09 07:34:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/09 07:34:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/09 07:34:14 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/09 07:30:51 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Heather\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/07 13:02:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2011/04/07 10:54:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather\Application Data\AVG
[2011/04/07 10:52:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/04/07 10:51:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
[2011/04/07 10:42:10 | 007,592,248 | ---- | C] (AVG ) -- C:\Documents and Settings\Heather\Desktop\avg_pct_stf_all_2011_24_c4.exe
[2011/04/05 22:36:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011/04/05 19:41:21 | 000,000,000 | -HSD | C] -- C:\found.000
[2011/04/05 09:59:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather\Desktop\explorer
[2011/04/04 21:56:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/04/04 21:31:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather\Local Settings\Application Data\Secunia PSI
[2011/04/04 21:31:18 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2011/04/04 20:41:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather\Forefront UAG Remote Access Agent
[2011/04/04 17:44:19 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/04/04 17:38:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/04 17:38:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/04 17:29:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather\Application Data\AVG10
[2011/04/04 17:10:59 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/04/04 17:04:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2011
[2011/04/04 16:50:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/04/04 16:50:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2011/04/04 16:49:33 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/04/04 16:43:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/04/03 17:38:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/04/03 17:22:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/03 17:22:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/03 17:13:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather\Local Settings\Application Data\{E03760F7-937E-4127-BF9D-45E3B9DBA4D3}
[2011/03/27 20:35:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Heather\Application Data\.minecraft
[2005/09/05 01:12:42 | 000,369,896 | ---- | C] (Microsoft Corporation) -- C:\Program Files\WindowsXP-KB888240-x86-ENU.exe
[2005/09/05 01:07:44 | 000,491,768 | ---- | C] (Microsoft Corporation) -- C:\Program Files\ie6setup.exe
[2005/09/05 00:20:15 | 007,936,144 | ---- | C] (Microsoft Corporation) -- C:\Program Files\DX81NTeng.exe
[2005/09/04 21:54:37 | 214,235,269 | ---- | C] (Wizet) -- C:\Program Files\MSSetup.exe
[2 C:\Documents and Settings\Heather\My Documents\*.tmp files -> C:\Documents and Settings\Heather\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\Heather\Desktop\*.tmp files -> C:\Documents and Settings\Heather\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/11 18:59:07 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Heather\Desktop\OTL.exe
[2011/04/11 18:58:49 | 000,879,081 | ---- | M] () -- C:\Documents and Settings\Heather\Desktop\SecurityCheck.exe
[2011/04/11 18:06:25 | 112,156,645 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/04/11 18:02:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2011/04/11 18:02:21 | 000,000,318 | -HS- | M] () -- C:\WINDOWS\tasks\coitmfmbq.job
[2011/04/11 18:02:21 | 000,000,312 | -HS- | M] () -- C:\WINDOWS\tasks\fkuuwczd.job
[2011/04/11 18:02:21 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\JVHWPM.job
[2011/04/11 18:02:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/04/11 18:02:16 | 2683,375,616 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/10 22:16:42 | 008,388,608 | -H-- | M] () -- C:\Documents and Settings\Heather\NTUSER.DAT
[2011/04/10 22:16:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Heather\NTUSER.INI
[2011/04/10 17:07:51 | 000,194,366 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2011/04/10 16:19:18 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Heather\Desktop\TFC.exe
[2011/04/10 15:57:42 | 000,003,165 | ---- | M] () -- C:\Documents and Settings\Heather\Desktop\Attach_2.zip
[2011/04/10 15:27:43 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Heather\Desktop\TDSSKiller.exe
[2011/04/10 15:26:32 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Heather\Desktop\tdsskiller.zip
[2011/04/10 14:56:49 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/10 13:47:46 | 000,003,112 | ---- | M] () -- C:\Documents and Settings\Heather\Desktop\Attach.zip
[2011/04/10 13:22:25 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\Heather\Desktop\gmer.zip
[2011/04/10 13:21:53 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Heather\Desktop\Defogger.exe
[2011/04/10 13:21:30 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Heather\Desktop\dds.scr
[2011/04/10 11:28:18 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2011/04/09 07:34:18 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/09 07:30:52 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Heather\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/07 10:51:57 | 000,000,830 | ---- | M] () -- C:\Documents and Settings\Heather\Desktop\AVG PC Tuneup 2011.lnk
[2011/04/07 10:42:15 | 007,592,248 | ---- | M] (AVG ) -- C:\Documents and Settings\Heather\Desktop\avg_pct_stf_all_2011_24_c4.exe
[2011/04/05 22:18:11 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Heather\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/04/04 21:45:33 | 000,000,753 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011/04/04 16:36:05 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Heather\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/04 16:34:21 | 000,011,696 | -HS- | M] () -- C:\Documents and Settings\Heather\Local Settings\Application Data\08a4u2o670p0ms3ur18g20l873t74n
[2011/04/04 16:34:21 | 000,011,696 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\08a4u2o670p0ms3ur18g20l873t74n
[2011/04/03 17:13:38 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Okabuyiwogilime.dat
[2011/04/03 17:13:38 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ucifu.bin
[2011/04/03 17:12:11 | 000,091,136 | RHS- | M] () -- C:\WINDOWS\System32\WOWFAXUIJ.dll
[2011/03/23 22:50:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/19 21:08:22 | 000,441,456 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2011/03/19 21:08:22 | 000,071,408 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2011/03/19 21:08:21 | 000,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2011/03/19 20:56:06 | 000,000,780 | ---- | M] () -- C:\WINDOWS\orun32.ini
[2011/03/13 23:42:28 | 000,002,048 | ---- | M] () -- C:\WINDOWS\System32\win32xm1.TXI
[2011/03/13 21:10:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/13 21:10:19 | 000,000,206 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2 C:\Documents and Settings\Heather\My Documents\*.tmp files -> C:\Documents and Settings\Heather\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\Heather\Desktop\*.tmp files -> C:\Documents and Settings\Heather\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/11 18:58:48 | 000,879,081 | ---- | C] () -- C:\Documents and Settings\Heather\Desktop\SecurityCheck.exe
[2011/04/11 18:06:25 | 112,156,645 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/04/10 17:07:51 | 000,194,366 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2011/04/10 15:57:42 | 000,003,165 | ---- | C] () -- C:\Documents and Settings\Heather\Desktop\Attach_2.zip
[2011/04/10 15:26:31 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Heather\Desktop\tdsskiller.zip
[2011/04/10 13:47:46 | 000,003,112 | ---- | C] () -- C:\Documents and Settings\Heather\Desktop\Attach.zip
[2011/04/10 13:22:24 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\Heather\Desktop\gmer.zip
[2011/04/10 13:21:53 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Heather\Desktop\Defogger.exe
[2011/04/10 13:21:30 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Heather\Desktop\dds.scr
[2011/04/09 07:34:18 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/07 10:51:57 | 000,000,830 | ---- | C] () -- C:\Documents and Settings\Heather\Desktop\AVG PC Tuneup 2011.lnk
[2011/04/04 21:45:33 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011/04/04 21:45:32 | 000,000,716 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Secunia PSI.lnk
[2011/04/04 16:36:04 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2011/04/03 17:24:10 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/03 17:14:55 | 000,011,696 | -HS- | C] () -- C:\Documents and Settings\Heather\Local Settings\Application Data\08a4u2o670p0ms3ur18g20l873t74n
[2011/04/03 17:14:55 | 000,011,696 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\08a4u2o670p0ms3ur18g20l873t74n
[2011/04/03 17:13:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Okabuyiwogilime.dat
[2011/04/03 17:13:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ucifu.bin
[2011/04/03 17:12:11 | 000,091,136 | RHS- | C] () -- C:\WINDOWS\System32\WOWFAXUIJ.dll
[2011/04/03 17:12:11 | 000,000,318 | -HS- | C] () -- C:\WINDOWS\tasks\coitmfmbq.job
[2011/04/03 17:12:11 | 000,000,312 | -HS- | C] () -- C:\WINDOWS\tasks\fkuuwczd.job
[2011/04/03 17:12:11 | 000,000,308 | -HS- | C] () -- C:\WINDOWS\tasks\JVHWPM.job
[2011/03/13 22:16:28 | 000,002,048 | ---- | C] () -- C:\WINDOWS\System32\win32xm1.TXI
[2011/03/13 21:10:19 | 000,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/01/24 09:26:39 | 000,000,427 | ---- | C] () -- C:\Documents and Settings\Heather\Application Data\com.inm.fusion.PixtorioViewer_state.xml
[2009/12/21 07:38:40 | 000,029,756 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/03/08 22:32:21 | 000,000,022 | ---- | C] () -- C:\WINDOWS\iexplore.ini
[2009/01/02 20:57:39 | 000,000,059 | ---- | C] () -- C:\WINDOWS\dcmvwr.INI
[2008/11/18 21:18:07 | 000,000,134 | -H-- | C] () -- C:\Documents and Settings\Heather\Application Data\lakerda1967.sys
[2008/11/18 21:17:31 | 000,010,584 | ---- | C] () -- C:\Documents and Settings\Heather\Application Data\docXConverter (3).ini
[2008/09/07 15:16:50 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2008/02/23 22:08:15 | 000,000,335 | ---- | C] () -- C:\WINDOWS\mozregistry.dat
[2007/11/14 22:22:43 | 000,001,761 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/09/23 19:07:21 | 000,000,441 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/07/26 12:01:50 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2007/04/06 08:13:31 | 000,001,571 | ---- | C] () -- C:\WINDOWS\Faxcpp1.ini
[2007/04/06 08:13:31 | 000,000,422 | ---- | C] () -- C:\WINDOWS\Faxcpp.ini
[2007/04/06 08:13:19 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\Twscan32.dll
[2007/04/06 08:13:18 | 000,241,664 | ---- | C] () -- C:\WINDOWS\System32\Image32.dll
[2007/04/06 08:13:18 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Png32.dll
[2007/04/06 08:13:18 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2007/04/06 08:13:18 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Tga32.dll
[2007/04/06 08:13:18 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Pcx32.dll
[2007/02/25 17:05:48 | 000,037,027 | ---- | C] () -- C:\WINDOWS\atmoUn.exe
[2006/01/27 15:52:41 | 000,046,345 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/01/01 11:51:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ka.ini
[2005/09/05 16:12:38 | 000,000,271 | ---- | C] () -- C:\WINDOWS\ePrint@JapanCamera.INI
[2005/08/31 11:43:32 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\resourceGeneric.dll
[2005/08/30 15:43:32 | 000,000,098 | ---- | C] () -- C:\WINDOWS\7thlevel.ini
[2005/07/10 08:25:03 | 000,000,019 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2005/01/02 22:54:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/01/02 22:42:35 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2005/01/02 22:41:27 | 000,000,021 | ---- | C] () -- C:\WINDOWS\CS_setup.ini
[2004/11/20 09:34:01 | 000,000,796 | ---- | C] () -- C:\WINDOWS\disney.ini
[2004/10/13 02:05:27 | 000,036,488 | ---- | C] () -- C:\Documents and Settings\Heather\Application Data\GDIPFONTCACHEV1.DAT
[2004/10/09 08:56:25 | 000,000,198 | ---- | C] () -- C:\WINDOWS\ACTIVITY.INI
[2004/09/24 20:46:36 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/09/08 20:44:09 | 000,110,717 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2004/04/15 19:55:21 | 000,000,494 | ---- | C] () -- C:\WINDOWS\EReg077.dat
[2004/04/15 19:54:52 | 000,000,084 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI
[2004/04/14 00:19:30 | 000,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2004/04/13 14:43:17 | 000,001,228 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2004/04/01 20:06:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2004/03/28 11:53:35 | 000,000,013 | ---- | C] () -- C:\WINDOWS\isncfg.dat
[2004/02/23 09:51:43 | 000,000,061 | ---- | C] () -- C:\WINDOWS\Prism3.INI
[2004/02/06 18:54:48 | 000,095,440 | ---- | C] () -- C:\WINDOWS\NSUninst.exe
[2004/02/06 18:54:16 | 000,014,045 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2004/02/04 09:06:05 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Heather\Local Settings\Application Data\fusioncache.dat
[2003/11/22 22:23:07 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2003/11/22 22:15:56 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2003/11/06 06:54:39 | 000,008,996 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2003/11/02 09:45:38 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2003/10/26 22:48:37 | 000,000,422 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2003/10/23 00:14:03 | 000,000,193 | ---- | C] () -- C:\WINDOWS\brqikmon.ini
[2003/10/21 21:42:58 | 000,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2003/10/21 21:42:58 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2003/10/21 20:21:22 | 000,278,528 | ---- | C] () -- C:\WINDOWS\System32\dfxg13.dll
[2003/10/21 18:35:26 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/10/21 18:25:37 | 000,148,992 | ---- | C] () -- C:\Documents and Settings\Heather\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/10/21 18:21:08 | 000,000,410 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2003/10/21 18:11:43 | 006,393,542 | -H-- | C] () -- C:\Documents and Settings\Heather\Local Settings\Application Data\IconCache.db
[2003/10/21 18:11:43 | 000,036,488 | ---- | C] () -- C:\Documents and Settings\Heather\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2003/10/15 00:00:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/10/14 23:55:29 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2003/10/14 23:53:07 | 000,000,324 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2003/10/14 23:49:38 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/10/14 23:37:36 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2003/10/14 23:35:56 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/10/14 23:35:34 | 000,521,766 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2003/10/14 23:35:34 | 000,441,456 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2003/10/14 23:35:34 | 000,071,408 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2003/10/14 23:24:14 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/05/30 09:00:02 | 001,291,776 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2002/12/12 01:14:32 | 000,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2002/12/12 01:14:32 | 000,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2002/12/12 01:14:32 | 000,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2002/12/12 01:14:32 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2002/12/12 01:14:32 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2002/12/12 01:14:32 | 000,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2002/12/12 01:14:32 | 000,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2002/11/26 14:15:52 | 000,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2002/11/26 14:15:50 | 000,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2002/09/03 10:05:08 | 000,161,136 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 09:59:58 | 000,000,661 | ---- | C] () -- C:\WINDOWS\WIN.INI
[2002/09/03 09:59:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CONTROL.INI
[2002/09/03 09:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 09:57:54 | 000,000,488 | ---- | C] () -- C:\WINDOWS\System32\logonui.exe.manifest
[2002/09/03 09:57:44 | 000,000,749 | ---- | C] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2002/09/03 09:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 09:56:20 | 000,000,037 | ---- | C] () -- C:\WINDOWS\VBADDIN.INI
[2002/09/03 09:56:20 | 000,000,036 | ---- | C] () -- C:\WINDOWS\VB.INI
[2002/09/03 09:50:58 | 000,000,231 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI
[2002/09/03 09:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 09:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/08/29 08:14:40 | 000,095,744 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2002/08/29 06:00:00 | 001,015,477 | ---- | C] () -- C:\WINDOWS\System32\ESENTPRF.INI
[2002/08/29 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 06:00:00 | 000,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2002/08/29 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 06:00:00 | 000,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll
[2002/08/29 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 06:00:00 | 000,199,168 | ---- | C] () -- C:\WINDOWS\System32\IR32_32.DLL
[2002/08/29 06:00:00 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\PAQSP.DLL
[2002/08/29 06:00:00 | 000,069,886 | ---- | C] () -- C:\WINDOWS\System32\EDIT.COM
[2002/08/29 06:00:00 | 000,055,296 | ---- | C] () -- C:\WINDOWS\System32\DVDPLAY.EXE
[2002/08/29 06:00:00 | 000,053,840 | ---- | C] () -- C:\WINDOWS\System32\dosx.exe
[2002/08/29 06:00:00 | 000,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2002/08/29 06:00:00 | 000,050,620 | ---- | C] () -- C:\WINDOWS\System32\COMMAND.COM
[2002/08/29 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 06:00:00 | 000,042,809 | ---- | C] () -- C:\WINDOWS\System32\KEY01.SYS
[2002/08/29 06:00:00 | 000,042,537 | ---- | C] () -- C:\WINDOWS\System32\KEYBOARD.SYS
[2002/08/29 06:00:00 | 000,039,274 | ---- | C] () -- C:\WINDOWS\System32\MEM.EXE
[2002/08/29 06:00:00 | 000,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2002/08/29 06:00:00 | 000,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2002/08/29 06:00:00 | 000,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2002/08/29 06:00:00 | 000,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2002/08/29 06:00:00 | 000,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2002/08/29 06:00:00 | 000,029,370 | ---- | C] () -- C:\WINDOWS\System32\NTDOS411.SYS
[2002/08/29 06:00:00 | 000,029,274 | ---- | C] () -- C:\WINDOWS\System32\NTDOS412.SYS
[2002/08/29 06:00:00 | 000,029,146 | ---- | C] () -- C:\WINDOWS\System32\NTDOS804.SYS
[2002/08/29 06:00:00 | 000,029,146 | ---- | C] () -- C:\WINDOWS\System32\NTDOS404.SYS
[2002/08/29 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 06:00:00 | 000,027,866 | ---- | C] () -- C:\WINDOWS\System32\NTDOS.SYS
[2002/08/29 06:00:00 | 000,027,097 | ---- | C] () -- C:\WINDOWS\System32\COUNTRY.SYS
[2002/08/29 06:00:00 | 000,020,634 | ---- | C] () -- C:\WINDOWS\System32\DEBUG.EXE
[2002/08/29 06:00:00 | 000,019,694 | ---- | C] () -- C:\WINDOWS\System32\GRAPHICS.COM
[2002/08/29 06:00:00 | 000,015,360 | ---- | C] () -- C:\WINDOWS\System32\TSD32.DLL
[2002/08/29 06:00:00 | 000,014,710 | ---- | C] () -- C:\WINDOWS\System32\KB16.COM
[2002/08/29 06:00:00 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\WIN87EM.DLL
[2002/08/29 06:00:00 | 000,013,223 | ---- | C] () -- C:\WINDOWS\System32\TSLABELS.INI
[2002/08/29 06:00:00 | 000,012,642 | ---- | C] () -- C:\WINDOWS\System32\EDLIN.EXE
[2002/08/29 06:00:00 | 000,012,498 | ---- | C] () -- C:\WINDOWS\System32\APPEND.EXE
[2002/08/29 06:00:00 | 000,012,082 | ---- | C] () -- C:\WINDOWS\System32\RSVP.INI
[2002/08/29 06:00:00 | 000,011,753 | ---- | C] () -- C:\WINDOWS\System32\SETVER.EXE
[2002/08/29 06:00:00 | 000,009,029 | ---- | C] () -- C:\WINDOWS\System32\ANSI.SYS
[2002/08/29 06:00:00 | 000,008,424 | ---- | C] () -- C:\WINDOWS\System32\EXE2BIN.EXE
[2002/08/29 06:00:00 | 000,007,052 | ---- | C] () -- C:\WINDOWS\System32\NLSFUNC.EXE
[2002/08/29 06:00:00 | 000,006,877 | ---- | C] () -- C:\WINDOWS\System32\PSCHDPRF.INI
[2002/08/29 06:00:00 | 000,004,768 | ---- | C] () -- C:\WINDOWS\System32\HIMEM.SYS
[2002/08/29 06:00:00 | 000,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2002/08/29 06:00:00 | 000,003,458 | ---- | C] () -- C:\WINDOWS\System32\RASCTRS.INI
[2002/08/29 06:00:00 | 000,003,338 | ---- | C] () -- C:\WINDOWS\System32\redir.exe
[2002/08/29 06:00:00 | 000,002,891 | ---- | C] () -- C:\WINDOWS\System32\PERFCI.INI
[2002/08/29 06:00:00 | 000,002,732 | ---- | C] () -- C:\WINDOWS\System32\PERFWCI.INI
[2002/08/29 06:00:00 | 000,001,931 | ---- | C] () -- C:\WINDOWS\System32\MSDTCPRF.INI
[2002/08/29 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 06:00:00 | 000,001,405 | ---- | C] () -- C:\WINDOWS\MSDFMAP.INI
[2002/08/29 06:00:00 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\PERFFILT.INI
[2002/08/29 06:00:00 | 000,001,131 | ---- | C] () -- C:\WINDOWS\System32\LOADFIX.COM
[2002/08/29 06:00:00 | 000,000,882 | ---- | C] () -- C:\WINDOWS\System32\SHARE.EXE
[2002/08/29 06:00:00 | 000,000,882 | ---- | C] () -- C:\WINDOWS\System32\FASTOPEN.EXE
[2002/08/29 06:00:00 | 000,000,817 | ---- | C] () -- C:\WINDOWS\System32\MSCDEXNT.EXE
[2002/08/29 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2002/08/29 06:00:00 | 000,000,343 | ---- | C] () -- C:\WINDOWS\System32\PRODSPEC.INI
[2002/03/19 18:30:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\PowerCalc.exe
[2001/09/24 07:59:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2009/01/07 19:04:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2DBoy
[2011/04/07 11:34:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/04/04 17:10:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/04/04 16:50:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2009/03/08 22:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2010/03/31 18:53:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2011/04/07 11:31:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/02/25 17:05:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/10/11 20:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YoYoGames
[2010/10/05 18:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/12/21 06:50:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/21 22:19:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2011/03/27 20:36:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\.minecraft
[2011/04/07 11:19:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\AVG
[2011/04/04 17:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\AVG10
[2010/01/28 01:21:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/01/11 21:16:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\com.inm.fusion.PixtorioViewer.744790F1545733D757EA034B675902690507C2E8.1
[2010/08/22 21:22:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\ElevatedDiagnostics
[2005/03/27 18:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\FotoWire
[2009/02/28 18:51:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\GetRightToGo
[2006/11/15 21:42:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\ievd
[2003/11/22 22:03:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\InterTrust
[2003/10/26 09:10:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\Leadertech
[2008/12/06 15:04:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\LEGO Company
[2010/09/11 08:38:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\Netscape
[2007/08/01 18:48:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\Nexon
[2009/10/19 23:23:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Heather\Application Data\Prism
[2011/04/11 18:02:21 | 000,000,318 | -HS- | M] () -- C:\WINDOWS\Tasks\coitmfmbq.job
[2011/04/11 18:02:21 | 000,000,312 | -HS- | M] () -- C:\WINDOWS\Tasks\fkuuwczd.job
[2011/04/11 18:02:21 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\Tasks\JVHWPM.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Heather\My Documents\Image_ja.nrg:SummaryInformation
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >


OTL Extras logfile created on: 4/11/2011 7:19:36 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Heather\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 33.80 Gb Free Space | 45.38% Space Free | Partition Type: NTFS

Computer Name: SAM | User Name: Heather | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: Off | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = NetscapeHTML] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-2964962961-2529405911-1854799536-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" %*
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Wizet\MapleStory\Patcher.exe" = C:\Program Files\Wizet\MapleStory\Patcher.exe:*:Disabled:Patcher MFC ?? ???? -- ()
"C:\Program Files\Microsoft Games\Age of Mythology\aomx.exe" = C:\Program Files\Microsoft Games\Age of Mythology\aomx.exe:*:Enabled:Age of Mythology - The Titans Expansion -- (Ensemble Studios)
"C:\Program Files\Wizet\MapleStory\MapleStory.exe" = C:\Program Files\Wizet\MapleStory\MapleStory.exe:*:Disabled:MapleStory -- (Wizet)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe" = C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe:*:Enabled:Java™ Platform SE binary
"C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HP1006MC.EXE" = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HP1006MC.EXE:*:Enabled:SMLMProxy Module - HP1006MC.EXE -- (Software 2000 Limited)
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Documents and Settings\All Users\Application Data\YoYoGames\yoyo61.exe" = C:\Documents and Settings\All Users\Application Data\YoYoGames\yoyo61.exe:*:Enabled:YoYo Games Player -- (YoYo Games Ltd)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{02C85EC5-E864-4847-AF55-42730861004C}" = MrvlUsgTracking
"{04410044-9149-45C6-A806-F2BF9CFCE762}" = Microsoft Encarta Encyclopedia Standard 2004
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1C1084FD-1A1B-4C54-B88A-B1D79AEF99F2}" = Black's Photo Centre - Windows XP Online Order Wizard
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 24
"{2A5C6AD0-F7B3-40A1-B140-23B085B1B8CE}" = UFile 2008
"{2C464EC1-2B0C-4490-9CAC-D4562DD8377A}" = Soap 3.0 Toolkit
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{451BB54C-8B23-4455-8BDC-14FC7D43E056}" = MSXML4SP2
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{585D96E5-1A6A-410C-8F5F-F606CA1CCE1C}" = UFile 2010
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{64116298-93C5-401D-B06C-39D8E3338508}" = DAO
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7297B0DF-8B81-41A1-B7B9-4C423609EEDE}" = WBC Digital Player
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7902E313-FF0F-4493-ACB1-A8147B78DCD0}" = HPSSupply
"{7C5B4583-7CBF-4289-B195-03B553959DEA}" = VoiceOver Kit
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{83d96ed0-98aa-4515-8ddc-816f3efdd104}" = MyDSC2
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{868291A4-229E-4795-B0B0-E60E87AF53CD}" = Sibelius Scorch (ActiveX Only)
"{8851E12C-0EF9-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Platinum
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EA79DBF-D637-448A-89D6-410A087A4493}" = Samsung_MonSetup
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B79DCB0-AAD7-456B-8D07-433C936FA24B}" = DS21Patch
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}" = Camera Window
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A71D5E81-B967-43DB-93D7-FD31BFB95748}" = MobileMe Control Panel
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{A859FA27-05AF-4295-BF2C-A9D3A5A707EE}" = UFile Updater 2010
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AD708DF0-9F04-4CB3-821A-85804A833B4D}" = ArcSoft Camera Suite
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B3AEF776-7FFF-4C50-A402-9119E3849EE0}" = AVG 2011
"{B6797F11-4A7D-45F5-8A20-72E9CCD83538}" = UFile Updater 2009
"{BEAD39CD-901D-4267-8B8B-EAA83CB4B70D}" = Pivot Stickfigure Animator
"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord
"{C05E2D43-A05F-4835-A15C-CD0AD1576506}" = PhotoStitch
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{C9967B5A-6E08-4E79-BFBD-BBB07DB0CA04}" = UFile Updater 2008
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{cce405d3-1e1e-4902-a3e2-1ddc405d3b1d}" = NetLibrary Download Manager
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D36F4DCA-B6D5-403A-B69D-2439D59FC9A7}" = UFile 2009
"{D4576E0D-2295-4B8E-B663-B68086B00EE5}" = Sonic CinePlayer DVD Pack
"{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC}" = iPod for Windows 2005-09-23
"{D4E53304-1F6C-4111-9872-1BCD2CF5B642}" = AVG 2011
"{D521C206-C457-4AE3-A0E0-072D37E2A580}" = OneTouch Software
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DEC511B1-59CB-4F15-AD75-0543034572A5}" = MapleStory
"{E08EC542-BC5F-4F26-BBB9-E426BA007A31}" = OneTouch USB Driver
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0FC315A-7D1D-444F-BB96-A59B28179626}" = RemoteCapture Task 1.0.1
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = RAW Image Task
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"{FE736CA3-5100-7CB2-2FB3-399865F522AC}" = Pixtorio Viewer
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Age of Mythology Expansion Pack 1.0" = Age of Mythology Gold
"AVG" = AVG 2011
"BellCanada.MCCInstall" = Sympatico NetAssistant
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.inm.fusion.PixtorioViewer.744790F1545733D757EA034B675902690507C2E8.1" = Pixtorio Viewer
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"DFX for MUSICMATCH" = DFX for MUSICMATCH
"docXConverter3_is1" = docXConverter 3.1.2
"ESET Online Scanner" = ESET Online Scanner v3
"GraphPad Prism 3" = GraphPad Prism 3
"HP LaserJet P1500 series" = HP LaserJet P1500 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"iefeatsl" = iefeatsl
"InstallShield_{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{C05E2D43-A05F-4835-A15C-CD0AD1576506}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC}" = iPod for Windows 2005-09-23
"InstallShield_{F0FC315A-7D1D-444F-BB96-A59B28179626}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = Canon RAW Image Task for ZoomBrowser EX
"J-Prints Japan Camera Online Photos" = J-Prints Japan Camera Online Photos
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Forefront UAG endpoint components 3.1.0" = Microsoft Forefront UAG endpoint components v4.0.0
"Mozilla Firefox 4.0 (x86 en-GB)" = Mozilla Firefox 4.0 (x86 en-GB)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"Picasa 3" = Picasa 3
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer Basic
"Secunia PSI" = Secunia PSI (2.0.0.3001)
"Shockwave" = Shockwave
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/5/2011 10:28:32 PM | Computer Name = SAM | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 2.0.0.4094, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/5/2011 10:35:45 PM | Computer Name = SAM | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module icucnv36.dll, version 3.6.0.0, fault address 0x000013df.

Error - 4/6/2011 8:33:57 PM | Computer Name = SAM | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module icucnv36.dll, version 3.6.0.0, fault address 0x000013df.

Error - 4/6/2011 8:39:01 PM | Computer Name = SAM | Source = uagqecsvc | ID = 62
Description = The Microsoft Forefront UAG Quarantine Enforcement Client component
cannot retrieve a list of registered clients from the Network Access Protection
(NAP) Agent. HRESULT value: 0x80070005.

Error - 4/6/2011 8:39:01 PM | Computer Name = SAM | Source = uagqecsvc | ID = 40
Description = The Microsoft Forefront UAG Quarantine Enforcement Client component
cannot detect registration. HRESULT value: 0x80070005.

Error - 4/7/2011 1:05:00 PM | Computer Name = SAM | Source = Bonjour Service | ID = 100
Description = 448: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 4/7/2011 9:06:46 PM | Computer Name = SAM | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module shlwapi.dll, version 6.0.2900.5912, fault address 0x0002c4d1.

Error - 4/7/2011 10:04:57 PM | Computer Name = SAM | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module shlwapi.dll, version 6.0.2900.5912, fault address 0x0002c4d1.

Error - 4/7/2011 10:05:15 PM | Computer Name = SAM | Source = uagqecsvc | ID = 62
Description = The Microsoft Forefront UAG Quarantine Enforcement Client component
cannot retrieve a list of registered clients from the Network Access Protection
(NAP) Agent. HRESULT value: 0x80070005.

Error - 4/7/2011 10:05:15 PM | Computer Name = SAM | Source = uagqecsvc | ID = 40
Description = The Microsoft Forefront UAG Quarantine Enforcement Client component
cannot detect registration. HRESULT value: 0x80070005.

[ System Events ]
Error - 4/10/2011 11:32:56 AM | Computer Name = SAM | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 4/10/2011 2:08:58 PM | Computer Name = SAM | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 4/10/2011 4:19:50 PM | Computer Name = SAM | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/10/2011 4:19:50 PM | Computer Name = SAM | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Driver Helper Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/10/2011 4:19:50 PM | Computer Name = SAM | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/10/2011 4:19:51 PM | Computer Name = SAM | Source = Service Control Manager | ID = 7034
Description = The Microsoft Forefront UAG Quarantine Enforcement Client service
terminated unexpectedly. It has done this 1 time(s).

Error - 4/10/2011 4:19:51 PM | Computer Name = SAM | Source = Service Control Manager | ID = 7034
Description = The Secunia PSI Agent service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/10/2011 4:19:51 PM | Computer Name = SAM | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/10/2011 4:19:51 PM | Computer Name = SAM | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 4/10/2011 4:19:51 PM | Computer Name = SAM | Source = Service Control Manager | ID = 7034
Description = The Secunia Update Agent service terminated unexpectedly. It has
done this 1 time(s).


< End of report >

#15 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:05 AM

Posted 12 April 2011 - 03:21 AM

Something I should point out, regarding AVG PC Tuneup 2011,CCleaner,Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts at Geekstogo, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.

-------------

Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.

Please go to the link below to download an update.

http://www.adobe.com/products/acrobat/readstep2.html

Remove the older versions and install the latest,


--------------

Your Security Center are disabled (doesn't check FW and AV)
Your firewall is disabled
Your system Restore is disabled

Have you manually set those?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users