Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS/virtumonde infection redirects Google


  • This topic is locked This topic is locked
44 replies to this topic

#1 frustrated77

frustrated77

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 21 April 2011 - 11:24 AM

Here is my recent saga - as abbreviated as possible:
I had the Windows Recovery virus about a week ago. Using rkill, MBAM, some DOS commands, etc. I managed to eradicate it. My system was fine for about 4 days. Yesterday morning while researching some Excel formula help, my browser (IE8) started redirecting. I had seen the symptoms last year when I cleaned a similar infection using (mostly) TDSSkiller. I also got a strange error message stating something to the effect that there had been "too many hardware changes" to my system, and I needed to re-authenticate (or whatever word Microsoft uses) my O/S. Via a chat with M/S I managed to accomplish that, but it certainly is suspicious.

I ran MBAM (1.50.1.1100 with updated data file), and it found nothing. I tried to run TDSSkiller (new name and used the .COM extension). It ran in its "initializing" window until exactly 80% (reproduceable) and then Windows flagged a "major error, must exit" screen. (I didn't think of trying to kill McAfee first until now, but I'm not even sure that I CAN kill it). I'm running Win XP SP3. In desperation, I downloaded a current TDSSkiller (no idea if it's different), and it also ran to exactly 80% of initialization before catastrophic failure.

I have McAfee active on the system (although I'm really not sure what it's good for - seems to be a virus magnet!). I also have ASO, but I didn't renew it. So, I can use it to find stuff, but not clean anything. It's been ineffective so far, which is why I didn't pay for another year. It IS, however, good at finding stuff! It told me I had 8 instances of adware.virtumonde.ks before I cancelled its execution.

I've followed the posting directions as closely as I could - which means I ran Defogger, etc. as told. The only problem I had (and the only thing not done/completed) was that I started running GMER sometime around 2pm yesterday. At 1am this morning, I finally went to bed with it still running. When I came down this morning, OF COURSE the PC had restarted (for reasons unknown) and whatever was there was gone! If needed, I was planning on re-running it starting tonight - hoping it would complete and I would be around tomorrow when it finished so I could grab the output. I've decided to go ahead and post, hoping something captured here will give you a foothold. Also, I may download HJT in case you want me to run it. Just as an FYI, I'm using a laptop for my internet access that is NOT infected. My desktop is currently unplugged from the network. Since my (wireless) laptop works fine, I am assuming I don't have a problem within my home (wireless/wired)router.

Before I finish, let me forward my thanks to all of you who help people out of the kindness of your heart. Whether or not you can help me specifically, your willingness to try is laudable! BTW: Kudos also to whomever writes your directions. They are incredibly clear, even for a novice!

Here's my DDS dump:
=================================================================

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Paul at 15:11:53.65 on Wed 04/20/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.706 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Addis\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AutorunsDisabled - No File
mRun: [VTPreset] VTPreset.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Advanced System Optimizer] "c:\program files\advanced system optimizer 3\ASO3.exe" /autorun
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: intuit.com\ttlc
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-9-9 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-27 84072]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\advanced system optimizer 3\ASO3DefragSrv.exe [2010-2-23 239928]
R2 DriverX;DriverX;c:\windows\system32\drivers\DRIVERX.SYS [2009-10-3 234140]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-27 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-27 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-7-27 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-7-27 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-7-27 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-7-27 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-27 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-9-9 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-9-9 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-27 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-27 88544]
S3 ADASPROT;SYSTWEAKASO;c:\program files\advanced system optimizer 3\adasprot32.sys [2010-2-23 6656]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-27 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-27 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-9-9 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-9-9 40552]
.
=============== Created Last 30 ================
.
2011-04-04 20:15:22 11264 ----a-r- c:\docume~1\addis\applic~1\microsoft\installer\{98613c99-1399-416c-a07c-1ee1c585d872}\Icon98613C992.exe
2011-04-04 20:15:15 -------- d-----w- c:\program files\Seagate
2011-04-04 20:12:29 -------- d-----w- c:\program files\common files\Wise Installation Wizard
.
==================== Find3M ====================
.
2011-03-09 15:44:21 43008 ----a-w- c:\windows\system32\tabctl32.oca
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_4R120L0 rev.RAMB1TU0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B464F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86b4c7d0]; MOV EAX, [0x86b4c84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86BCAAB8]
3 CLASSPNP[0xF77CFFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000060[0x86B7BF18]
5 ACPI[0xF7746620] -> nt!IofCallDriver[0x804E37D5] -> [0x86BDED98]
\Driver\atapi[0x86BAA030] -> IRP_MJ_CREATE -> 0x86B464F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { NOP ; JMP 0x181; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B4633B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:14:52.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:19 PM

Posted 29 April 2011 - 10:35 AM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 frustrated77

frustrated77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 29 April 2011 - 12:04 PM

Shannon - I'm excited to attack this issue! I am getting ready to provide what you ask for, but thought I'd first give you an update. The infected system has largely been powered down (still is right now), and removed from the network. I got the traces while disconnected and transferred them via a flash drive to my laptop - with which I'm now communicating. If I MUST use the actual machine, plaese let me know. Also, on 2 different occasions I've tried to run one of the scanners (GMER, I think it's called). It ran once for about an hour, before my mouse was deactivated. I started it again, and after about an hour the display of files being scanned disappeared. Something is consuming the memory. Also, I've had varying degrees of success powering the system up (everything freezes, even in SAFE mode). Now that you know everything I do about my infected system, I'll fire it up and provide what you're asking for.

#4 frustrated77

frustrated77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 29 April 2011 - 12:22 PM

Here we go!!!!

OTL logfile created on: 4/29/2011 12:12:48 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Addis\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00003009 | Country: Zimbabwe | Language: ENW | Date Format: M/d/yyyy

991.00 Mb Total Physical Memory | 620.00 Mb Available Physical Memory | 63.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 98.67 Gb Free Space | 86.18% Space Free | Partition Type: NTFS

Computer Name: ADDIS-CM5TPBZ9K | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/29 12:05:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Addis\Desktop\OTL.exe
PRC - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/10/05 13:59:20 | 000,239,928 | ---- | M] (Systweak Inc., (www.systweak.com)) -- C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe
PRC - [2010/09/30 13:10:36 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/08/24 14:57:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/04/06 01:17:18 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
PRC - [2003/04/06 00:55:04 | 000,311,296 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2003/04/06 00:45:10 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2002/12/10 20:10:29 | 000,052,736 | ---- | M] (Macrovision) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE
PRC - [2001/06/07 17:01:00 | 000,299,008 | ---- | M] (Palm, Inc.) -- C:\Palm\HOTSYNC.EXE


========== Modules (SafeList) ==========

MOD - [2011/04/29 12:05:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Addis\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 21:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/10/05 13:59:20 | 000,239,928 | ---- | M] (Systweak Inc., (www.systweak.com)) [Auto | Running] -- C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe -- (ASO3DiskOptimizer)
SRV - [2010/08/24 14:57:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2003/03/08 23:31:02 | 000,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/12/10 20:10:29 | 000,052,736 | ---- | M] (Macrovision) [Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)


========== Driver Services (SafeList) ==========

DRV - [2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 22:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 22:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/10/13 22:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 22:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/10/13 22:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 22:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/07/30 18:35:50 | 000,006,656 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Advanced System Optimizer 3\adasprot32.sys -- (ADASPROT)
DRV - [2010/04/17 12:18:22 | 000,082,380 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/04 00:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/03/02 15:02:30 | 000,167,040 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2003/11/16 18:08:20 | 000,234,140 | ---- | M] (Tetradyne Software, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\DRIVERX.SYS -- (DriverX)
DRV - [2003/07/02 05:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2002/12/10 20:10:28 | 000,011,376 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2002/03/25 07:13:54 | 000,303,948 | R--- | M] (Avance Logic, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Avance AC97 Audio (WDM)
DRV - [2001/08/17 09:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 08:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001/06/07 17:01:00 | 000,012,270 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1960408961-861567501-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1960408961-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1960408961-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local"


[2010/08/16 15:00:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Addis\Application Data\Mozilla\Extensions
[2010/10/06 14:03:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Addis\Application Data\Mozilla\Firefox\Profiles\z6utlisy.default\extensions
[2010/08/16 15:16:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Addis\Application Data\Mozilla\Firefox\Profiles\z6utlisy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/14 17:46:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/17 08:51:27 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/08/17 08:50:44 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/08/17 08:50:43 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

Hosts file not found
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O4 - HKLM..\Run: [Advanced System Optimizer] C:\Program Files\Advanced System Optimizer 3\ASO3.exe (Systweak Inc., (www.systweak.com))
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [VTPreset] C:\WINDOWS\System32\VTPreset.exe (S3 Graphics, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1960408961-861567501-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1960408961-861567501-725345543-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:AutorunsDisabled () -
O24 - Desktop WallPaper: C:\Documents and Settings\Addis\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Addis\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/11/22 13:40:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{8d4b69fd-3fac-11dd-a327-0020ed51aa00}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sasnative32) - C:\WINDOWS\System32\sasnative32.exe ()
O34 - HKLM BootExecute: (Execute settings...) - File not found
O34 - HKLM BootExecute: (ountPoints) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/29 12:11:35 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Addis\Desktop\OTL.exe
[2011/04/29 12:06:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/04/21 12:48:02 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2011/04/20 15:29:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Addis\Desktop\gmer
[2011/04/20 11:12:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/20 09:59:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/20 09:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/18 01:52:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Addis\Recent
[2011/04/14 23:16:31 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/04/04 15:15:15 | 000,000,000 | ---D | C] -- C:\Program Files\Seagate
[2011/04/04 15:12:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/29 12:07:49 | 000,012,642 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/29 12:06:09 | 000,000,304 | -HS- | M] () -- C:\WINDOWS\tasks\Cjay.job
[2011/04/29 12:06:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/29 12:06:02 | 1039,716,352 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/29 12:05:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Addis\Desktop\OTL.exe
[2011/04/26 11:00:03 | 000,000,432 | ---- | M] () -- C:\WINDOWS\tasks\ASOService.job
[2011/04/22 11:33:53 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/04/21 12:43:40 | 000,305,771 | ---- | M] () -- C:\Documents and Settings\Addis\Desktop\HijackThis.zip
[2011/04/21 09:24:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\vpd.properties
[2011/04/21 09:18:25 | 000,000,522 | ---- | M] () -- C:\hpfr3420.xml
[2011/04/20 15:27:06 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\Addis\Desktop\gmer.zip
[2011/04/20 15:07:44 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Addis\Desktop\dds.scr
[2011/04/20 15:04:50 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Addis\defogger_reenable
[2011/04/20 14:59:04 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Addis\Desktop\Defogger.exe
[2011/04/20 12:50:18 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/20 11:30:58 | 000,012,584 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2011/04/18 00:53:22 | 001,006,778 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\rkill.com
[2011/04/15 08:19:39 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/14 23:22:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/14 23:19:17 | 000,441,580 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/14 23:19:17 | 000,071,390 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/22 11:33:50 | 000,001,323 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
[2011/04/22 11:31:46 | 1039,716,352 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/21 12:46:19 | 000,305,771 | ---- | C] () -- C:\Documents and Settings\Addis\Desktop\HijackThis.zip
[2011/04/20 15:29:05 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\Addis\Desktop\gmer.zip
[2011/04/20 15:10:45 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Addis\Desktop\dds.scr
[2011/04/20 15:04:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Addis\defogger_reenable
[2011/04/20 15:04:24 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Addis\Desktop\Defogger.exe
[2011/04/18 01:16:36 | 001,006,778 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\rkill.com
[2011/03/25 18:35:23 | 001,019,136 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/26 10:13:27 | 000,075,776 | ---- | C] () -- C:\WINDOWS\cadkasdeinst01e.exe
[2010/05/11 11:17:27 | 000,002,572 | ---- | C] () -- C:\WINDOWS\System32\ASOROSet.bin
[2010/04/17 12:50:16 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2010/04/17 12:10:46 | 000,020,454 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2010/04/17 12:10:46 | 000,016,618 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2010/02/23 09:48:24 | 000,017,136 | ---- | C] () -- C:\WINDOWS\System32\sasnative32.exe
[2009/12/20 20:44:34 | 000,000,061 | ---- | C] () -- C:\WINDOWS\TaxACT09.ini
[2009/10/18 22:59:20 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/10/03 12:41:14 | 000,011,157 | ---- | C] () -- C:\WINDOWS\System32\CP30LS.DLL
[2008/12/27 19:38:52 | 000,000,075 | ---- | C] () -- C:\WINDOWS\TaxACT08.ini
[2008/11/02 21:55:14 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Addis\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/09 14:53:36 | 000,001,499 | ---- | C] () -- C:\WINDOWS\Perwty02.ini
[2007/12/01 12:30:58 | 000,004,748 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/05/16 18:09:15 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/03/30 17:22:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/12/26 20:42:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PasswordsPlus.INI
[2005/03/23 23:35:00 | 000,000,024 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/10/09 22:27:33 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/10/22 13:40:56 | 000,000,026 | ---- | C] () -- C:\WINDOWS\UP9ASP.INI
[2003/05/26 21:27:01 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/03/08 23:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/01/19 17:18:48 | 000,098,364 | ---- | C] () -- C:\WINDOWS\ctpu.exe
[2002/12/13 21:46:06 | 000,000,014 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2002/12/10 20:41:30 | 000,000,715 | ---- | C] () -- C:\WINDOWS\aolback.exe.lnk
[2002/12/10 20:10:29 | 000,202,752 | ---- | C] () -- C:\WINDOWS\CDAC14BA.DLL
[2002/12/10 20:10:29 | 000,020,992 | ---- | C] () -- C:\WINDOWS\CDAC13BA.EXE
[2002/12/10 20:10:28 | 000,011,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\CdaC15BA.SYS
[2002/12/06 18:13:03 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2002/12/06 15:26:51 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2002/12/02 10:24:04 | 000,000,636 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/12/02 08:17:32 | 000,000,605 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2002/11/22 15:35:54 | 000,000,025 | ---- | C] () -- C:\WINDOWS\SPEA.INI
[2002/11/22 13:43:37 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2002/11/22 13:37:34 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/11/22 05:29:05 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/11/22 05:28:05 | 000,269,392 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2001/08/18 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 07:00:00 | 000,441,580 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 07:00:00 | 000,071,390 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1999/01/22 21:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/06/10 01:00:00 | 000,015,120 | ---- | C] () -- C:\WINDOWS\System32\REPUTIL.DLL
[1998/01/12 10:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

< End of report >



OTL Extras logfile created on: 4/29/2011 12:12:48 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Addis\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00003009 | Country: Zimbabwe | Language: ENW | Date Format: M/d/yyyy

991.00 Mb Total Physical Memory | 620.00 Mb Available Physical Memory | 63.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 98.67 Gb Free Space | 86.18% Space Free | Partition Type: NTFS

Computer Name: ADDIS-CM5TPBZ9K | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1960408961-861567501-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\TurboTax\Premier 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Premier 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
"C:\Program Files\TurboTax\Premier 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Premier 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
"C:\Program Files\TurboTax\Premier 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Premier 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax
"C:\Program Files\TurboTax\Premier 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Premier 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager
"C:\Documents and Settings\Addis\Application Data\mjusbsp\magicJack.exe" = C:\Documents and Settings\Addis\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack
"C:\Program Files\Texas Instruments\CC Essentials v3.1\eclipse\jre\bin\javaw.exe" = C:\Program Files\Texas Instruments\CC Essentials v3.1\eclipse\jre\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{02E78A82-D1A6-4C1C-90C5-12473B36B1E5}" = ExpressPCB
"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
"{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}" = Canon PhotoRecord
"{0F9196C6-58B4-445B-B56E-B1200FECC151}" = Microsoft Bootvis
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = PhotoStitch
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = RemoteCapture Task 1.1
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
"{3E373664-E7A5-465C-84CE-078C841C1885}" = DriverX for MSP-FET430IF
"{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = RAW Image Task 1.2
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C96958A-6562-4143-B820-FF4890D3B734}" = Camera Window DVC
"{4EF69D40-4DC9-485E-95D3-B1C22F218FC8}" = upapp
"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5B1966C2-FF80-493F-916D-5552B642EDCF}" = TI MSVC80 SP1 Runtime files
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{5E367599-6FCC-45BB-A1D7-C15556E08D2A}" = Texas Instruments SimpliciTI-CCE-1.1.0
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = MovieEdit Task
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Camera Window DS
"{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Camera Support Core Library
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{A1E21995-127E-4B7F-8C4D-CB04AA8A58EF}_is1" = Advanced System Optimizer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero
"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
"{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{AC76BA86-7AD7-2447-0000-900000000003}" = Chinese Simplified Fonts Support For Adobe Reader 9
"{AC76BA86-7AD7-5760-0000-900000000003}" = Japanese Fonts Support For Adobe Reader 9
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = ##HPMD_PRODUCT_NAME##
"{BA0F44C2-A883-11D1-AD0A-006097D15E2C}" = Palm Desktop
"{BD664B79-E4C3-48FA-B6C2-23CCC2AC19A2}" = Texas Instruments SimpliciTI-IAR-1.1.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon ZoomBrowser EX
"{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Camera Window MC
"{C900EF06-2E76-49C7-8DB0-41F629B21DC5}" = hp psc 1200 series
"{C9913503-1500-4454-94CD-365ADC1BB9B9}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DD9B6B21-19E1-4D7D-BEB3-166F9DE929FD}" = IAR Embedded Workbench Kickstart for MSP430 4.20.4
"{EBCBA952-DA46-4687-9784-D8B4E25A6B14}" = Passwords Plus
"{ED5F7AF9-347B-4440-A211-C6236508CC08}" = ExpressPCB
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"084C8C3BFE6C1BB28639FB23AC0D18A2470CE49C" = Windows Driver Package - Texas Instruments, Inc (umpusbvista) Ports (05/19/2008 6.5.9003.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity_is1" = Audacity 1.2.6
"B89452C8A2A1FCF2E1BCF0ECA27FB6019CFA00CF" = Windows Driver Package - Texas Instruments (usbser) Ports (12/11/2007 1.3)
"Bitmap2LCD V1.5b_is1" = Bitmap2LCD Basic Edition V1.5b
"CCleaner" = CCleaner (remove only)
"CdaC13Ba" = SafeCast Shared Components
"eZ430-RF2500SensorMonitor" = eZ430-RF2500 Sensor Monitor
"HP PSC 1200 Series" = HP Photo and Imaging 2.0 - hp psc 1200 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{4C96958A-6562-4143-B820-FF4890D3B734}" = Canon Camera Window DVC for ZoomBrowser EX
"InstallShield_{5E367599-6FCC-45BB-A1D7-C15556E08D2A}" = Texas Instruments SimpliciTI-CCE-1.1.0
"InstallShield_{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Canon Camera Window DS for ZoomBrowser EX
"InstallShield_{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Canon Camera Support Core Library
"InstallShield_{BD664B79-E4C3-48FA-B6C2-23CCC2AC19A2}" = Texas Instruments SimpliciTI-IAR-1.1.0
"InstallShield_{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Canon Camera Window for ZoomBrowser EX
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Developer Network - Visual Studio 6.0a" = MSDN Library - Visual Studio 6.0a
"Mp3tag" = Mp3tag v2.43
"MSC" = McAfee AntiVirus Plus
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoScape" = PhotoScape
"Pixillion" = Pixillion Image Converter
"RealPlayer 6.0" = RealPlayer
"S3Display" = S3Display
"S3Gamma2" = S3Gamma2
"S3Info2" = S3Info2
"S3Overlay" = S3Overlay
"ST6UNST #1" = HexDump32
"ST6UNST #2" = ScreenPrint32 v3.5
"TaxACT 2009" = TaxACT 2009
"TurboTax 2010" = TurboTax 2010
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
"Visual Basic 6.0 Professional Edition" = Microsoft Visual Basic 6.0 Professional Edition
"WebPost" = Microsoft Web Publishing Wizard 1.53
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:19 PM

Posted 29 April 2011 - 04:17 PM

Hi-

Thanks for the logs. They do show some infections and one is a backdoor trojan. A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue with the cleanup -

Before we start, since you are using USB flash drives to communicate, you need to run Flash_Disinfector against those USB drives. Flash_Disinfector is a specialized fix tool created by sUBs to remove infections that load an autorun.inf file on removable media. Flash_Disinfector will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. This folder helps to keep the malicious autorun.ini file from being installed on the root drive and running other malicious files which will infect the computer.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Next, please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.21.0) from Kaspersky's website.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. C:\TDSSKiller.2.4.21_23.07.2010_15.31.43_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
Then, download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.


In your reply, copy in the contents of the TDSSKiller report and the ComboFix report. How is your computer running now?
Shannon

#6 frustrated77

frustrated77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 29 April 2011 - 04:43 PM

Smart virus.... I downloaded TDSSkiller.exe, renamed it to psh.com, and ran it. It got to 80% initialization, then errored out with a windows error "TDSS rootkit removing tool has encountered a problem and needs to close.", followed by the option to tell Microsoft about the problem. I obviously elected to move forward with attempting to clean it up. I'm stopping (didn't do anything with ComboFix) until I hear from you. One question.... There's a warning that ComboFix MUST be downloaded directly to your desktop. Can I download it to another computer desktop and copy it to the infected machine's desktop via a flash drive? That's what I've been doing so far (keeping the infected unit off the internet)

#7 frustrated77

frustrated77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 29 April 2011 - 05:17 PM

Shannon.... A potentially silly question. I've read about ComboFix. The writeup states that if the recovery console isn't installed, ConboFix will ask to install it (and I should let it). My question is... Does ComboFix have the requisite software imbedded in its image, or will I need to connect the infected computer to the internet so ComboFix can download it? I went ahead and downloaded ComboFix and put it on my flash drive. When you tell me, I'll copy it onto the desktop of the infected unit and run it.

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:19 PM

Posted 29 April 2011 - 08:01 PM

Hi-

Yes, ComboFix does need an internet connection to download the Recovery Console software but we can get around that. Do you have the XP system CD for your computer?
Shannon

#9 frustrated77

frustrated77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 29 April 2011 - 08:40 PM

No...Sorry. It was an OEM installation, and I didn't get any CD. The computer's almost 9 years old, so what I DO have is really sketchy. If I need to connect it, it's no biggie - just an RJ45 connector. Should I install ComboFix on it and start it up? I'll plug in the network if it tells me I need the recovery console.

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:19 PM

Posted 29 April 2011 - 08:47 PM

It would be easier if you would connect it. Copy ComboFix to the desktop, connect the cable, and run it.
Shannon

#11 frustrated77

frustrated77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 29 April 2011 - 09:16 PM

Okay. ComboFix installed, ran, installed the Recovery Console, and is now running (it's at Stage_2). When I get the log, should it be PASTED into the message window, or ATTACHED?

#12 frustrated77

frustrated77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 29 April 2011 - 09:42 PM

COMBOFIX LOG


ComboFix 11-04-29.02 - Paul 04/29/2011 21:15:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.507 [GMT -5:00]
Running from: c:\documents and settings\Addis\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Addis\My Documents\DPE.DUS
c:\documents and settings\Addis\Start Menu\Programs\Windows Recovery
c:\documents and settings\Addis\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
c:\documents and settings\Addis\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
c:\documents and settings\Addis\System
c:\documents and settings\Addis\System\win_qs8.jqx
c:\windows\system32\logs
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-30 )))))))))))))))))))))))))))))))
.
.
2011-04-20 14:59 . 2011-04-20 14:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-18 13:48 . 2011-04-18 13:50 -------- d-----w- c:\documents and settings\Administrator
2011-04-04 20:15 . 2011-04-04 20:15 11264 ----a-r- c:\documents and settings\Addis\Application Data\Microsoft\Installer\{98613C99-1399-416C-A07C-1EE1C585D872}\Icon98613C992.exe
2011-04-04 20:15 . 2011-04-04 20:15 -------- d-----w- c:\program files\Seagate
2011-04-04 20:12 . 2011-04-04 20:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-09 15:44 . 2003-03-10 22:39 43008 ----a-w- c:\windows\system32\tabctl32.oca
2011-03-07 05:33 . 2003-03-03 20:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2003-05-27 05:34 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-18 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-01-21 21:16 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2003-05-27 04:12 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2003-05-27 02:45 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2001-08-18 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-18 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-17 02:09 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2001-08-18 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2003-05-27 02:42 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2003-05-27 04:54 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-05-27 04:49 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2001-08-18 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2003-05-27 04:32 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTPreset"="VTPreset.exe" [2004-02-25 45056]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Advanced System Optimizer"="c:\program files\Advanced System Optimizer 3\ASO3.exe" [2010-10-05 3521848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-12-2 299008]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [7/27/2010 10:24 AM 84072]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [2/23/2010 9:48 AM 239928]
R2 DriverX;DriverX;c:\windows\system32\drivers\DRIVERX.SYS [10/3/2009 12:41 PM 234140]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [7/27/2010 10:24 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [7/27/2010 10:24 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [7/27/2010 10:26 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [7/27/2010 10:25 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [7/27/2010 10:24 AM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [7/27/2010 10:24 AM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [7/27/2010 10:24 AM 88544]
S3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [2/23/2010 9:48 AM 6656]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [7/27/2010 10:24 AM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [7/27/2010 10:24 AM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd25
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-26 c:\windows\Tasks\ASOService.job
- c:\program files\Advanced System Optimizer 3\ASO3.exe [2010-02-23 18:59]
.
2010-07-19 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8271524710.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: intuit.com\ttlc
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Bitmap2LCD V1.5b_is1 - c:\wireless projects\FoNtS\Bitmap2LCD V1_5b\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-29 21:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_4R120L0 rev.RAMB1TU0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B4633B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-861567501-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E3A52CDC-ACDF-1EA1-4033-794C6B6D210B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oacfgddplmeahhkdicjlbaoafigahg"=hex:64,61,64,70,6a,62,6c,62,00,e0
"oagegeganejmbidbajcgocghkkfhpc"=hex:6a,61,63,70,6a,62,67,6d,66,6d,6d,6b,6a,63,
62,61,66,6e,64,66,00,fd
"naeeeocdeiccpcemcpeiapihkbjg"=hex:6b,61,63,70,6d,62,68,70,6f,6f,70,70,6d,6f,
6a,6c,6c,63,63,62,70,6f,00,00
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-29 21:37:30
ComboFix-quarantined-files.txt 2011-04-30 02:37
.
Pre-Run: 105,802,498,048 bytes free
Post-Run: 105,920,274,432 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - EB6A190B9C7EE17F95B26141B72CC578

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:19 PM

Posted 30 April 2011 - 02:32 PM

Hi-

Sorry for the delay - its a beautiful sunny day here today - no tornadoes.

You have an infected Master Boot Record which we need to fix, but, first, we need to back it up.

You will need a USB drive.

Download both unetbootin-xpud-windows-latest.exe and xpud-0.9.2.iso to the desktop of your clean computer

  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) - please note that if you do not see sbd1 simply remove then replace the USB while xPud is running and it will then appear!
  • Press Tool at the top
  • Choose Open Terminal
  • Type dd if=/dev/sda of=MBRbackup.zip bs=512 count=1
  • Press Enter
  • After it has finished a report will be located on your USB drive named MBRbackup.zip
  • Remove the USB drive and insert back in your working computer and navigate to MBRbackup.zip Please note - all text entries are case sensitive
Attach the MBRbackup.zip to your next reply.
Shannon

#14 frustrated77

frustrated77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 30 April 2011 - 03:54 PM

I'm sorry, but I don't see how to boot from USB! F12 doesn't appear to do anything. I went into my BIOS and my options are HDD, CD, Floppy, and Realtek Boot (which I think is a network boot option). Maybe I misunderstood the directions? If so, my apologies. I'm running XP SP3 on a Gigabyte GA-7VKMLS motherboard - although none of that probably helps. 8^(

FWIW: My "clean" machine is a laptop with Windows 7

#15 frustrated77

frustrated77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 30 April 2011 - 03:55 PM

OOPS: The Flash drive wasn't actually plugged in (to the infected unit) when I tried to get the USB option screen! Would that be why it didn't work?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users