Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Trojan.Dropper/SVCHost-Fake and Firefox keeps redirector


  • This topic is locked This topic is locked
39 replies to this topic

#1 Ballerina

Ballerina

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:10 PM

Posted 31 July 2011 - 10:07 PM

Hello,

I am unable to remove some very stubborn malware. Please help me, I am at my wit's end! I greatly appreciate the kind volunteers who help with this sort of problem. It's a noble thing to do! :)

The attack began on Wednesday July 27, 2011. I was reading an article on a major news website, and all manner of stuff (ads, fake anti-virus programs) began to pop up on my screen. Unfortunately, I wasn't able to stop it soon enough, even though I killed the power strip immediately. I turned the modem off, rebooted, and ran consecutive scans using the following anti-virus software: Malwarebytes, Spybot, SuperAntiSpyware, and a version of Kapersky that I have through Earthlink called Earthlink Protection Control Center. I performed complete scans with all 4 programs on all drives. All 4 programs found malware. Each found different malware, but they all seemed to sucessfully remove it. By Thursday morning, I thought the computer was clean, so I rebooted it in order to complete the malware removal process.

When the computer rebooted, everything seemed to work okay at first, except that none of the anti-malware programs were accessible anymore. When I tried to open any of them I got a pop-up window that said "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." The computer also runs more slowly now.

I performed searches for my anti-malware programs, and was able to open SuperAntiSpyware from the search results. I ran a scan, and it found "Trojan.Dropper/SVCHost-Fake" in 2 places, one in Memory and one in files. However, the malware shut SuperAntiSpyware down before it could finish the scan. I re-opened it through Search and stopped the second scan as soon as it found "Trojan.Dropper/SVCHost-Fake" again. I had it quarantined, and supposedly removed. I rebooted the computer, but it was still there, and still terminates all anti-malware programs. I did this several times, but the Trojan is always still there. I tried running HiJack This, but it ran briefly, then terminated without finishing, and without generating a log. I cannot open it now either. I tried uninstalling Spybot, and downloading a fresh copy, but it would not run either. I ran rkill, which I had on my desktop from a removing a TDSSKiller infection in May 2011 (followed the Bleeping Computer tutorial page for that one, Thank you Grinler!). rkill terminated a process called \\.\globalroot\Device\svchost.exe\svchost.exe I immediately ran SuperAntiSpyware again (accessed through Search) and it found "Trojan.Dropper/SVCHost-Fake" again. I tried to have the Trojan removed, but was still unsuccessful.

I also now have a re-director in Firefox, just to add to the fun. Additionally, Windows Security Center says my virus protection is turned on, even though it is not. I uninstalled Java and re-installed it, because it had some odd things in its cache files, and I thought it might have gotten infected, or corrupted.

I would be deeply grateful for anyone's help with this nasty infection. I don't know what else to do. Thank you very much for your time and attention! :)

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by august at 16:50:00 on 2011-07-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.348 [GMT -7:00]
.
AV: Protection Control Center *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Protection Control Center *Disabled*
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://start.earthlink.net/AL/Search
uSearchMigratedDefaultURL = hxxp://www.altavista.com/web/iepane?itag=ody&hl=off&fr=ieas&q={searchTerms}
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files\earthlink totalaccess\toolbar\ElnkPub.dll
BHO: {52794457-af6c-4c50-9def-f2e24f4c8889} - No File
BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files\earthlink totalaccess\toolbar\ProtctIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files\earthlink totalaccess\toolbar\uninsttb.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink totalaccess\toolbar\Toolbar.dll
TB: {52794457-af6c-4c50-9def-f2e24f4c8889} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AVP] "c:\program files\earthlink\earthlink protection control center\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\august\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: EarthLink Google Search - c:\program files\earthlink totalaccess\toolbar\SearchUI.dll/search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\earthlink\earthlink protection control center\SCIEPlgn.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
Trusted Zone: tdameritrade.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3083570A-3DF7-41C7-B624-C560BF9F2FB9} : DhcpNameServer = 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\earthl~2\earthl~1\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtqrsPg
LSA: Notification Packages = :\windows\system32\srr
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 91.207.117.244 browser-security.microsoft.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\august\application data\mozilla\firefox\profiles\ojl5k5yz.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/
FF - plugin: c:\documents and settings\august\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\august\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-12-28 195344]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\earthlink totalaccess\wengine\wmonitor.exe [2005-1-26 65604]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-6-3 47640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S0 ejklrxvx;ejklrxvx;c:\windows\system32\drivers\avulmspn.sys --> c:\windows\system32\drivers\avulmspn.sys [?]
S2 AVP;EarthLink Protection Control Center;c:\program files\earthlink\earthlink protection control center\avp.exe [2009-1-22 244240]
S2 gupdate1ca09ca969da2fc;Google Update Service (gupdate1ca09ca969da2fc);c:\program files\google\update\GoogleUpdate.exe [2009-7-20 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 PINNMB;MovieBox USB_B;c:\windows\system32\drivers\pinnmb.sys [2004-11-28 31923]
S2 WindowsGame;Windows_Down;c:\windows\system32\game.exe --> c:\windows\system32\Game.exe [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-1 17536]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;\??\c:\program files\earthlink\earthlink protection control center\sana\driver\platform_xp\safeconnectfilter.sys --> c:\program files\earthlink\earthlink protection control center\sana\driver\platform_xp\SafeConnectFilter.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-20 133104]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-6-10 32512]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-07-30 00:18:44 -------- d-----w- c:\documents and settings\august\application data\ElevatedDiagnostics
2011-07-29 04:40:44 -------- d-----w- c:\documents and settings\august\local settings\application data\Solid State Networks
2011-07-29 04:33:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
==================== Find3M ====================
.
2011-07-29 04:33:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 21:39:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-32FUA0 rev.15.05R15 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x832ACAA0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x83BD7AB8]
3 CLASSPNP[0xF75A3FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x83A63C78]
\Driver\00001525[0x838DC9F8] -> IRP_MJ_CREATE -> 0x832ACAA0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x83B2A31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:51:29.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 01 August 2011 - 12:20 PM

:welcome: to BleepingComputer!

Let's see if we can sort this out for you.

We'll start with a couple of other scans and go on from there.

Step 1.
aswMBR:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply


Step 2.
RKU:

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Step 3.
Things I would like to see in your reply:

  • The content of the log from aswMBR in step 1.
  • The content of the log from RKU in step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:10 PM

Posted 01 August 2011 - 09:25 PM

Thank you for your kind response. :)

Here are the logs you requested:


aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-01 18:34:52
-----------------------------
18:34:52.250 OS Version: Windows 5.1.2600 Service Pack 3
18:34:52.250 Number of processors: 1 586 0x207
18:34:52.250 ComputerName: WALLABY UserName: august
18:34:53.109 Initialize success
18:39:54.062 AVAST engine defs: 11080101
18:40:55.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:40:55.828 Disk 0 Vendor: WDC_WD2500JB-32FUA0 15.05R15 Size: 238475MB BusType: 3
18:40:55.828 Device \Driver\atapi -> DriverStartIo 83b2a31b
18:40:57.828 Disk 0 MBR read successfully
18:40:57.828 Disk 0 MBR scan
18:40:57.875 Disk 0 MBR:Alureon-G [Rtk]
18:40:57.875 Disk 0 TDL4@MBR code has been found
18:40:57.875 Disk 0 Windows XP default MBR code found via API
18:40:57.875 Disk 0 MBR hidden
18:40:57.890 Disk 0 MBR [TDL4] **ROOTKIT**
18:40:57.890 Disk 0 trace - called modules:
18:40:57.890 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x832b1aa0]<<
18:40:57.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83bd7ab8]
18:40:57.906 3 CLASSPNP.SYS[f75a3fd7] -> nt!IofCallDriver -> [0x839bb4f0]
18:40:57.906 \Driver\00001404[0x8396bae8] -> IRP_MJ_CREATE -> 0x832b1aa0
18:40:58.171 AVAST engine scan C:\WINDOWS
18:41:05.656 AVAST engine scan C:\WINDOWS\system32
18:41:39.437 File: C:\WINDOWS\system32\HPZipm12.exe **INFECTED** Win32:Patched-WQ [Trj]
18:42:38.687 File: C:\WINDOWS\system32\nvsvc32.exe **INFECTED** Win32:Patched-WQ [Trj]
18:43:28.375 AVAST engine scan C:\WINDOWS\system32\drivers
18:43:33.546 File: C:\WINDOWS\system32\drivers\fips.sys **INFECTED** Win32:Sirefef-J [Rtk]
18:43:43.609 AVAST engine scan C:\Documents and Settings\august
18:49:39.546 AVAST engine scan C:\Documents and Settings\All Users
18:56:31.296 Scan finished successfully
18:57:27.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\august\Desktop\MBR.dat"
18:57:27.750 The log file has been saved successfully to "C:\Documents and Settings\august\Desktop\aswMBR.txt"



RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xEEA09000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10235904 bytes
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6434816 bytes
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes
0xF73BD000 Ntfs.sys 577536 bytes
0xEE8AE000 C:\WINDOWS\system32\drivers\smwdm.sys 540672 bytes
0xEC4C6000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes
0xEE770000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes
0xEC5CD000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes
0xB8378000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes
0xB803F000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes
0xEC492000 C:\WINDOWS\system32\drivers\klif.sys 212992 bytes
0xEE7CE000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes
0xF7514000 ACPI.sys 188416 bytes
0xB86E3000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes
0xF7390000 NDIS.sys 184320 bytes
0xEC536000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes
0xEC5A5000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes
0xF74BE000 dmio.sys 155648 bytes
0xEC46C000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes
0xEE88A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes
0xEF3CC000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes
0xEE932000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes
0xEC583000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes
0xEC561000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes
0xF7486000 fltmgr.sys 131072 bytes
0xF74E4000 ftdisk.sys 126976 bytes
0xF7359000 kl1.sys 118784 bytes
0xF7376000 Mup.sys 106496 bytes
0xF74A6000 atapi.sys 98304 bytes
0xEC454000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF745D000 KSecDD.sys 94208 bytes
0xEE759000 C:\WINDOWS\System32\DRIVERS\MarvinBus.sys 94208 bytes
0xEE80F000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes
0xB86A6000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes
0xEE876000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes
0xEE9F5000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes
0xEC626000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes
0xF744A000 WudfPf.sys 77824 bytes
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes
0xF7474000 sr.sys 73728 bytes
0xF7503000 pci.sys 69632 bytes
0xEE7FE000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes
0xF5932000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes
0xEFEA0000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes
0xEFE70000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes
0xEFE80000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes
0xEFE90000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes
0xF35EA000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes
0xEFCA3000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes
0xF75A3000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes
0xF5992000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes
0xEFE60000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes
0xEFE50000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes
0xF7583000 VolSnap.sys 53248 bytes
0xEFE30000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes
0xF5912000 C:\DOCUME~1\august\LOCALS~1\Temp\aswMBR.sys 45056 bytes
0xF03E3000 C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys 45056 bytes
0xEFEC0000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes
0xF7573000 MountMgr.sys 45056 bytes
0xEFE40000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes
0xF5DB8000 C:\WINDOWS\system32\drivers\` 45056 bytes
0xEFEB0000 C:\WINDOWS\System32\Drivers\AFS2K.SYS 40960 bytes
0xF7563000 isapnp.sys 40960 bytes
0xB8430000 C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 40960 bytes
0xEFCB3000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes
0xF6EA0000 C:\WINDOWS\System32\DRIVERS\secdrv.sys 40960 bytes
0xEFCC3000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes
!!!!!!!!!!!Hidden driver: 0xF5982000 4153925864 36864 bytes
0xB6EDC000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF7593000 disk.sys 36864 bytes
0xF6E60000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes
0xF03F3000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes
0xEFD13000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes
0xEE9E5000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes
0xEE985000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes
0xF005D000 C:\WINDOWS\system32\DRIVERS\klim5.sys 32768 bytes
0xF7883000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes
0xEE856000 C:\WINDOWS\System32\DRIVERS\usbccgp.sys 32768 bytes
0xF0085000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes
0xF0075000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes
0xEFD81000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes
0xF77E3000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes
0xEE84E000 C:\WINDOWS\System32\DRIVERS\usbprint.sys 28672 bytes
0xEE836000 C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS 28672 bytes
0xEE846000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes
0xF0065000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes
0xF006D000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes
0xF7893000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes
0xF008D000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes
0xEFD79000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes
0xEFD91000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes
0xF788B000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes
0xEFDC1000 C:\WINDOWS\System32\DRIVERS\omci.sys 20480 bytes
0xF77EB000 PartMgr.sys 20480 bytes
0xF004D000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes
0xF0045000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes
0xF77F3000 C:\WINDOWS\system32\drivers\TDI.SYS 20480 bytes
0xF007D000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes
0xF78CB000 C:\WINDOWS\System32\watchdog.sys 20480 bytes
0xF6C11000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes
0xEFE03000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes
0xF79F3000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes
0xF7A47000 C:\WINDOWS\System32\drivers\pclepci.sys 16384 bytes
0xF0224000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes
0xF7977000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes
0xF3ED3000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes
0xF7319000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes
0xF7A03000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes
0x83AC0000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes
0xF6C19000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes
0xF0220000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes
0xF7A0B000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes
0xF7A33000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes
0xF7AC7000 C:\WINDOWS\system32\drivers\aeaudio.sys 8192 bytes
0xF7A7F000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes
0xF0DBF000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes
0xF7A65000 dmload.sys 8192 bytes
0xF7B05000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF0DC1000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes
0xF0DBD000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes
0xF7A7B000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes
0xF0DBB000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes
0xF7ACF000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes
0xF7AD1000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes
0xF7A63000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes
0xF0209000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes
0xF7BE3000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes
0xF020A000 C:\WINDOWS\system32\DRIVERS\lmimirr.sys 4096 bytes
0xF58B7000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes
0xF7B2B000 pciide.sys 4096 bytes
!!!!!!!!!!!Hidden driver: 0x83B2A31B ?_empty_? 3301 bytes
!!!!!!!!!!!Hidden driver: 0x832AB500 00001468 2816 bytes
0x832AB500 unknown_irp_handler 2816 bytes
0x832B0E50 unknown_irp_handler 432 bytes
!!!!!!!!!!!Hidden driver: 0x839752A0 00001337 0 bytes
==============================================
>Stealth
==============================================
0xF74A6000 WARNING: suspicious driver modification [atapi.sys::0x83B2A31B]
0x8336BBD2 Unknown page with executable code, 1070 bytes
0x8336A140 Unknown thread object [ ETHREAD 0x83A72830 ] TID: 572, 600 bytes
0x8336A140 Unknown thread object [ ETHREAD 0x83A7A020 ] TID: 576, 600 bytes
0x83335900 Unknown thread object [ ETHREAD 0x839E5D40 ] TID: 580, 600 bytes
0x83335900 Unknown thread object [ ETHREAD 0x83905DA8 ] TID: 584, 600 bytes
0x83337950 Unknown thread object [ ETHREAD 0x8384CAF0 ] TID: 592, 600 bytes
0x83337950 Unknown thread object [ ETHREAD 0x83843508 ] TID: 596, 600 bytes
0x83335900 Unknown thread object [ ETHREAD 0x8384A958 ] TID: 600, 600 bytes
0xF5986D20 Unknown thread object [ ETHREAD 0x83965BF0 ] TID: 872, 600 bytes
0x832B2525 Unknown thread object [ ETHREAD 0x83954A58 ] TID: 876, 600 bytes

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 02 August 2011 - 02:09 AM

Looks as you've caught a nasty infection. This one might be tricky to get rid of.

a version of Kapersky that I have through Earthlink called Earthlink Protection Control Center

As stated below, make sure this is disabled before running ComboFix.

Step 1.
ComboFix:

Download ComboFix from one of these locations:

Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
    They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 2.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:10 PM

Posted 03 August 2011 - 03:28 AM

I am unable to turn off Protection Control Center. I could not open it to turn it off. Next, I tried to uninstall the program. The uninstall seemed to work, but when I rebooted the computer to complete the uninstall, Windows Security Center said that Protection Control Center was still on.

Protection Control Center was no longer listed in ADD/Remove programs list, but when I performed a search for all files and folders it still appeared in the search results. In fact it appeared multiple times in the search results, because Search seemed to just keep repeating the search until I stopped it.

I started to run ComboFix, but it also said that Protection Control Center was still present. I stopped ComboFix because I do not want to damage my computer. What should I do next?

#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 03 August 2011 - 03:50 AM

Thats probably some leftovers.
Let ComboFix run and post the content of the log (C:\ComboFix.txt).

Edited by heir, 03 August 2011 - 03:50 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:10 PM

Posted 03 August 2011 - 10:49 AM

Thanks! All went well, CombFix ran without trouble.

Here is the ComboFix log:

ComboFix 11-08-03.02 - august 08/03/2011 8:11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.430 [GMT -7:00]
Running from: c:\documents and settings\august\My Documents\Downloads\ComboFix.exe
AV: Protection Control Center *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Protection Control Center *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Acr8362.tmp
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\august\My Documents\~WRL0002.tmp
c:\documents and settings\august\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\LogMeInRemoteUser\WINDOWS
c:\program files\%APPDATA%
c:\program files\%APPDATA%\Microsoft\Windows Media\12.0\Windows Media Player ACM.lnk
c:\program files\Drop Down Deals
c:\program files\Drop Down Deals\YontooIEClient.dll
c:\program files\messenger\msmsgsin.exe
c:\windows\$NtUninstallKB15773$\1597349207\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB15773$\1597349207\click.tlb
c:\windows\$NtUninstallKB15773$\1597349207\L\blnylrmq
c:\windows\$NtUninstallKB15773$\1597349207\loader.tlb
c:\windows\$NtUninstallKB15773$\1597349207\U\@00000001
c:\windows\$NtUninstallKB15773$\1597349207\U\@000000c0
c:\windows\$NtUninstallKB15773$\1597349207\U\@000000cb
c:\windows\$NtUninstallKB15773$\1597349207\U\@000000cf
c:\windows\$NtUninstallKB15773$\1597349207\U\@80000000
c:\windows\$NtUninstallKB15773$\1597349207\U\@800000c0
c:\windows\$NtUninstallKB15773$\1597349207\U\@800000cb
c:\windows\$NtUninstallKB15773$\1597349207\U\@800000cf
c:\windows\$NtUninstallKB15773$\998695258
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\encapi32.dll
c:\windows\system32\gPsrqtwa.ini
c:\windows\system32\regobj.dll
c:\windows\system32\rnaph.dll
c:\windows\system32\UNWISE.EXE
c:\windows\UNWISE.EXE
F:\Calculator.exe
c:\windows\$NtUninstallKB15773$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CELINDRV
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))
.
.
2011-07-30 00:18 . 2011-07-30 00:18 -------- d-----w- c:\documents and settings\august\Application Data\ElevatedDiagnostics
2011-07-29 04:40 . 2011-07-29 04:40 -------- d-----w- c:\documents and settings\august\Local Settings\Application Data\Solid State Networks
2011-07-29 04:34 . 2011-07-29 04:34 -------- d-----w- c:\program files\Common Files\Java
2011-07-29 04:33 . 2011-07-29 04:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-16 17:40 . 2011-07-16 17:40 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-29 04:33 . 2010-05-02 21:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-07 02:52 . 2011-05-18 07:31 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-05-18 07:31 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 21:39 . 2011-06-18 12:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2007-06-14 323584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2004-03-11 406016]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-20 583016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\august\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-11 110592]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 02:34 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\DSLog.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\SYSTEM32\\msfeedssync.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\Program Files\\TeleChart\\TeleChart.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\AnvSoft\\Any Video Converter\\VideoConverter.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
"c:\\Documents and Settings\\august\\My Documents\\Downloads\\MicrosoftFixit.WinSecurity.Run.exe"=
"c:\\Program Files\\TurboTax\\Deluxe 2008\\32bit\\Turbotax.exe"=
"c:\\Documents and Settings\\august\\My Documents\\Downloads\\aswMBR.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
S0 ejklrxvx;ejklrxvx;c:\windows\system32\drivers\avulmspn.sys --> c:\windows\system32\drivers\avulmspn.sys [?]
S2 gupdate1ca09ca969da2fc;Google Update Service (gupdate1ca09ca969da2fc);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 PINNMB;MovieBox USB_B;c:\windows\SYSTEM32\DRIVERS\pinnmb.sys [11/28/2004 3:54 PM 31923]
S2 WindowsGame;Windows_Down;c:\windows\system32\Game.exe --> c:\windows\system32\Game.exe [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\SYSTEM32\DRIVERS\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;\??\c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys --> c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-03 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2008-07-29 04:55]
.
2011-08-03 c:\windows\Tasks\User_Feed_Synchronization-{B865B05B-D27E-44CB-BB53-551AF3161739}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.altavista.com/web/iepane?itag=ody&hl=off&fr=ieas&q={searchTerms}
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
Trusted Zone: tdameritrade.com\www
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\august\Application Data\Mozilla\Firefox\Profiles\ojl5k5yz.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-nwiz - nwiz.exe
AddRemove-CamQuest6 Cam Selection Sim - c:\windows\UNWISE.EXE
AddRemove-Engine Masters DynoSim Advanced Version - c:\windows\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-03 08:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???`???X??? ???????`???P???? ?w? ?w)??p????????(???}????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
.
scanning hidden files ...
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-32FUA0 rev.15.05R15 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8373B31B
user & kernel MBR OK
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Executive Software\DiskeeperWorkstation\DKService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\system32\wdfmgr.exe
c:\windows\BCMSMMSG.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2011-08-03 08:37:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-03 15:37
.
Pre-Run: 14,151,299,072 bytes free
Post-Run: 14,529,642,496 bytes free
.
- - End Of File - - B18F4CDA0A1E4F6190246FE4079FFE5E

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 03 August 2011 - 11:17 AM

Not quite what was expected.

Let's follow up with this

Step 1.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\drivers\avulmspn.sys
Folder::
c:\windows\$NtUninstallKB15773$
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
Driver::
ejklrxvx

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2.
TDSSKiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your reply.

Step 3.
aswMBR:

Double click the aswMBR.exe on your desktop to run it

Posted Image

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply


Step 4.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.
  • The content of the log from TDSSKiller in step 2.
  • The content of the log from aswMBR in step 3.
  • Information on how your computer is running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:10 PM

Posted 03 August 2011 - 02:57 PM

As far as I can tell, all anti-malware ought to be disabled. After uninstalling Protection Control Center earlier, I have since followed that up with a search for any remnants of it, which I deleted. Oddly, Windows Security Center still says that Protection Control Center is running. It was the only service I have that actively monitored my computer. Even so, today I successfully uninstalled Malwarebytes. I tried to uninstall Spybot, but portions of it remain that I am unable to delete. I tried to uninstall SuperAntiSpyware, but the when I clicked the Remove button it would not uninstall the program. I followed your instructions and ran the three programs.

Here are the three logs:

ComboFix 11-08-03.02 - august 08/03/2011 11:08:59.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.410 [GMT -7:00]
Running from: c:\documents and settings\august\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\august\Desktop\CFScript.txt
AV: Protection Control Center *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Protection Control Center *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\windows\system32\drivers\avulmspn.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB15773$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ejklrxvx
.
.
((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))
.
.
2011-07-30 00:18 . 2011-07-30 00:18 -------- d-----w- c:\documents and settings\august\Application Data\ElevatedDiagnostics
2011-07-29 04:40 . 2011-07-29 04:40 -------- d-----w- c:\documents and settings\august\Local Settings\Application Data\Solid State Networks
2011-07-29 04:34 . 2011-07-29 04:34 -------- d-----w- c:\program files\Common Files\Java
2011-07-29 04:33 . 2011-07-29 04:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-16 17:40 . 2011-07-16 17:40 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-29 04:33 . 2010-05-02 21:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-06 21:39 . 2011-06-18 12:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-03_15.30.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-03 18:22 . 2011-08-03 18:22 16384 c:\windows\Temp\Perflib_Perfdata_450.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2007-06-14 323584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2004-03-11 406016]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-20 583016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\august\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-11 110592]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 02:34 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\DSLog.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\SYSTEM32\\msfeedssync.exe"=
"c:\\Program Files\\TeleChart\\TeleChart.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\AnvSoft\\Any Video Converter\\VideoConverter.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
"c:\\Documents and Settings\\august\\My Documents\\Downloads\\MicrosoftFixit.WinSecurity.Run.exe"=
"c:\\Program Files\\TurboTax\\Deluxe 2008\\32bit\\Turbotax.exe"=
"c:\\Documents and Settings\\august\\My Documents\\Downloads\\aswMBR.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
S2 gupdate1ca09ca969da2fc;Google Update Service (gupdate1ca09ca969da2fc);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 PINNMB;MovieBox USB_B;c:\windows\SYSTEM32\DRIVERS\pinnmb.sys [11/28/2004 3:54 PM 31923]
S2 WindowsGame;Windows_Down;c:\windows\system32\Game.exe --> c:\windows\system32\Game.exe [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\SYSTEM32\DRIVERS\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;\??\c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys --> c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-03 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2008-07-29 04:55]
.
2011-08-03 c:\windows\Tasks\User_Feed_Synchronization-{B865B05B-D27E-44CB-BB53-551AF3161739}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.altavista.com/web/iepane?itag=ody&hl=off&fr=ieas&q={searchTerms}
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
Trusted Zone: tdameritrade.com\www
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\august\Application Data\Mozilla\Firefox\Profiles\ojl5k5yz.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
.
.
**************************************************************************


.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-03 11:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???`???X??? ???????`???P???? ?w? ?w)??p????????(???}????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JB-32FUA0 rev.15.05R15 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8373B31B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3064)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Executive Software\DiskeeperWorkstation\DKService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\BCMSMMSG.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2011-08-03 11:27:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-03 18:27
ComboFix2.txt 2011-08-03 15:37
.
Pre-Run: 14,523,326,464 bytes free
Post-Run: 14,503,604,224 bytes free
.
- - End Of File - - 9BDAEF22B29810E9921FFFC504C1BAC8





2011/08/03 11:38:29.0640 3776 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11
2011/08/03 11:38:30.0671 3776 ================================================================================
2011/08/03 11:38:30.0671 3776 SystemInfo:
2011/08/03 11:38:30.0671 3776
2011/08/03 11:38:30.0671 3776 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/03 11:38:30.0671 3776 Product type: Workstation
2011/08/03 11:38:30.0671 3776 ComputerName: WALLABY
2011/08/03 11:38:30.0671 3776 UserName: august
2011/08/03 11:38:30.0671 3776 Windows directory: C:\WINDOWS
2011/08/03 11:38:30.0671 3776 System windows directory: C:\WINDOWS
2011/08/03 11:38:30.0671 3776 Processor architecture: Intel x86
2011/08/03 11:38:30.0671 3776 Number of processors: 1
2011/08/03 11:38:30.0671 3776 Page size: 0x1000
2011/08/03 11:38:30.0671 3776 Boot type: Normal boot
2011/08/03 11:38:30.0671 3776 ================================================================================
2011/08/03 11:38:31.0890 3776 Initialize success
2011/08/03 11:38:36.0500 3852 ================================================================================
2011/08/03 11:38:36.0500 3852 Scan started
2011/08/03 11:38:36.0500 3852 Mode: Manual;
2011/08/03 11:38:36.0500 3852 ================================================================================
2011/08/03 11:38:37.0906 3852 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
2011/08/03 11:38:38.0000 3852 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/03 11:38:38.0093 3852 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/03 11:38:38.0187 3852 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
2011/08/03 11:38:38.0265 3852 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/08/03 11:38:38.0343 3852 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/03 11:38:38.0453 3852 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/08/03 11:38:38.0546 3852 AFS2K (c685cc27a2e637f0dcb5a45e67cc6f74) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/08/03 11:38:38.0640 3852 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
2011/08/03 11:38:38.0718 3852 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
2011/08/03 11:38:38.0812 3852 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
2011/08/03 11:38:38.0890 3852 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
2011/08/03 11:38:38.0953 3852 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
2011/08/03 11:38:39.0062 3852 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
2011/08/03 11:38:39.0140 3852 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
2011/08/03 11:38:39.0234 3852 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
2011/08/03 11:38:39.0312 3852 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
2011/08/03 11:38:39.0421 3852 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
2011/08/03 11:38:39.0500 3852 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
2011/08/03 11:38:39.0578 3852 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
2011/08/03 11:38:39.0687 3852 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/08/03 11:38:39.0828 3852 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/03 11:38:39.0890 3852 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/03 11:38:40.0031 3852 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/03 11:38:40.0125 3852 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/03 11:38:40.0234 3852 bcm4sbxp (f5c0d3c93235a455cdd13c954adf1a80) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/08/03 11:38:40.0375 3852 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
2011/08/03 11:38:40.0484 3852 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/03 11:38:40.0656 3852 BW2NDIS5 (71cb7616cb36d43ea787c41ab55fe458) C:\WINDOWS\system32\Drivers\BW2NDIS5.sys
2011/08/03 11:38:40.0781 3852 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
2011/08/03 11:38:40.0859 3852 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/03 11:38:40.0937 3852 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
2011/08/03 11:38:41.0000 3852 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/03 11:38:41.0078 3852 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/03 11:38:41.0156 3852 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/03 11:38:41.0343 3852 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
2011/08/03 11:38:41.0484 3852 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
2011/08/03 11:38:41.0593 3852 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
2011/08/03 11:38:41.0671 3852 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
2011/08/03 11:38:41.0765 3852 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/03 11:38:41.0906 3852 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/03 11:38:41.0968 3852 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/08/03 11:38:42.0031 3852 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/03 11:38:42.0125 3852 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/03 11:38:42.0218 3852 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
2011/08/03 11:38:42.0296 3852 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/03 11:38:42.0468 3852 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/08/03 11:38:42.0640 3852 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/03 11:38:42.0734 3852 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/03 11:38:42.0812 3852 Fips (7a5372b054c633302f2ce08236d82d64) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/03 11:38:42.0828 3852 Fips - detected Rootkit.Win32.ZAccess.e (0)
2011/08/03 11:38:42.0875 3852 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/03 11:38:42.0968 3852 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/03 11:38:43.0031 3852 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/03 11:38:43.0109 3852 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/03 11:38:43.0171 3852 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/03 11:38:43.0296 3852 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/03 11:38:43.0390 3852 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
2011/08/03 11:38:43.0500 3852 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/08/03 11:38:43.0562 3852 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/08/03 11:38:43.0671 3852 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/08/03 11:38:43.0781 3852 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/03 11:38:43.0875 3852 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/08/03 11:38:43.0953 3852 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
2011/08/03 11:38:44.0015 3852 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/03 11:38:44.0375 3852 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/08/03 11:38:44.0515 3852 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/08/03 11:38:44.0609 3852 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/08/03 11:38:44.0687 3852 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/08/03 11:38:44.0796 3852 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/08/03 11:38:44.0890 3852 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/08/03 11:38:44.0968 3852 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/08/03 11:38:45.0031 3852 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/08/03 11:38:45.0156 3852 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/08/03 11:38:45.0250 3852 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/08/03 11:38:45.0359 3852 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/08/03 11:38:45.0500 3852 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/03 11:38:45.0609 3852 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
2011/08/03 11:38:45.0718 3852 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
2011/08/03 11:38:45.0796 3852 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/03 11:38:45.0875 3852 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/03 11:38:45.0953 3852 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/03 11:38:46.0015 3852 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/03 11:38:46.0093 3852 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/03 11:38:46.0171 3852 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/03 11:38:46.0250 3852 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/03 11:38:46.0328 3852 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/03 11:38:46.0406 3852 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/03 11:38:46.0500 3852 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/03 11:38:46.0593 3852 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/03 11:38:46.0875 3852 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/08/03 11:38:47.0015 3852 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/08/03 11:38:47.0109 3852 MarvinBus (1ff75994bab460c9b809260dba779cfd) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
2011/08/03 11:38:47.0187 3852 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/03 11:38:47.0296 3852 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/03 11:38:47.0406 3852 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/08/03 11:38:47.0484 3852 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/03 11:38:47.0578 3852 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/03 11:38:47.0656 3852 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/03 11:38:47.0750 3852 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
2011/08/03 11:38:47.0890 3852 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/03 11:38:48.0000 3852 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/03 11:38:48.0093 3852 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/03 11:38:48.0171 3852 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/03 11:38:48.0250 3852 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/03 11:38:48.0328 3852 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/03 11:38:48.0390 3852 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/03 11:38:48.0468 3852 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/03 11:38:48.0546 3852 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/03 11:38:48.0640 3852 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/03 11:38:48.0703 3852 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/03 11:38:48.0765 3852 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/03 11:38:48.0828 3852 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/03 11:38:48.0890 3852 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/03 11:38:48.0968 3852 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/03 11:38:49.0125 3852 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/03 11:38:49.0203 3852 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/03 11:38:49.0296 3852 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/03 11:38:49.0750 3852 nv (30913cbf518396912e54c2c9f1dd0f09) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/03 11:38:50.0171 3852 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/03 11:38:50.0265 3852 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/03 11:38:50.0359 3852 omci (1d98907d80461371437a7c898c58c8ae) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/08/03 11:38:50.0453 3852 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/08/03 11:38:50.0531 3852 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/03 11:38:50.0625 3852 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/03 11:38:50.0718 3852 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/03 11:38:50.0781 3852 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/03 11:38:50.0921 3852 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/03 11:38:50.0984 3852 PCLEPCI (1bebe7de8508a02650cdce45c664c2a2) C:\WINDOWS\System32\drivers\pclepci.sys
2011/08/03 11:38:51.0078 3852 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/03 11:38:51.0390 3852 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
2011/08/03 11:38:51.0468 3852 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
2011/08/03 11:38:51.0625 3852 PINNMB (df3980f5796123208b24b930b82c1770) C:\WINDOWS\system32\Drivers\pinnmb.sys
2011/08/03 11:38:51.0750 3852 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/03 11:38:51.0812 3852 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/08/03 11:38:51.0890 3852 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/03 11:38:51.0953 3852 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/03 11:38:52.0046 3852 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
2011/08/03 11:38:52.0125 3852 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
2011/08/03 11:38:52.0218 3852 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
2011/08/03 11:38:52.0296 3852 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
2011/08/03 11:38:52.0375 3852 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
2011/08/03 11:38:52.0453 3852 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/03 11:38:52.0546 3852 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/03 11:38:52.0625 3852 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/03 11:38:52.0703 3852 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/03 11:38:52.0781 3852 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/03 11:38:52.0843 3852 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/03 11:38:52.0937 3852 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/03 11:38:53.0015 3852 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/03 11:38:53.0109 3852 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/03 11:38:53.0296 3852 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/03 11:38:53.0328 3852 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/03 11:38:53.0437 3852 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/03 11:38:53.0531 3852 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/03 11:38:53.0625 3852 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/03 11:38:53.0750 3852 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/03 11:38:53.0921 3852 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
2011/08/03 11:38:54.0046 3852 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
2011/08/03 11:38:54.0140 3852 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/08/03 11:38:54.0234 3852 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
2011/08/03 11:38:54.0328 3852 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/03 11:38:54.0421 3852 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/03 11:38:54.0515 3852 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/03 11:38:54.0640 3852 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/03 11:38:54.0703 3852 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/03 11:38:54.0812 3852 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
2011/08/03 11:38:54.0906 3852 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
2011/08/03 11:38:55.0000 3852 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
2011/08/03 11:38:55.0093 3852 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
2011/08/03 11:38:55.0171 3852 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/03 11:38:55.0296 3852 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/03 11:38:55.0375 3852 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/03 11:38:55.0453 3852 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/03 11:38:55.0531 3852 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/03 11:38:55.0671 3852 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
2011/08/03 11:38:55.0781 3852 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/03 11:38:55.0859 3852 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
2011/08/03 11:38:55.0968 3852 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/03 11:38:56.0093 3852 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/03 11:38:56.0171 3852 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/03 11:38:56.0234 3852 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/03 11:38:56.0296 3852 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/08/03 11:38:56.0359 3852 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/03 11:38:56.0421 3852 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/03 11:38:56.0484 3852 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/03 11:38:56.0562 3852 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/03 11:38:56.0640 3852 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/03 11:38:56.0718 3852 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
2011/08/03 11:38:56.0812 3852 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
2011/08/03 11:38:56.0921 3852 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/03 11:38:57.0015 3852 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/03 11:38:57.0140 3852 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/03 11:38:57.0390 3852 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/08/03 11:38:57.0484 3852 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/08/03 11:38:57.0593 3852 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/03 11:38:57.0687 3852 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/03 11:38:57.0828 3852 {6080A529-897E-4629-A488-ABA0C29B635E} (afeffe0f8805fcd47b05cf1fbde08092) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/08/03 11:38:57.0921 3852 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (85a36991a5ceaf9e65c4b743210e759b) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/08/03 11:38:57.0968 3852 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/08/03 11:38:57.0984 3852 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/08/03 11:38:58.0000 3852 Boot (0x1200) (6146817090a6da6728a442645225bd6e) \Device\Harddisk0\DR0\Partition0
2011/08/03 11:38:58.0046 3852 Boot (0x1200) (7d91df0e330986d11c4ffe7a98f5a6a8) \Device\Harddisk0\DR0\Partition1
2011/08/03 11:38:58.0078 3852 ================================================================================
2011/08/03 11:38:58.0078 3852 Scan finished
2011/08/03 11:38:58.0078 3852 ================================================================================
2011/08/03 11:38:58.0093 2856 Detected object count: 2
2011/08/03 11:38:58.0093 2856 Actual detected object count: 2
2011/08/03 11:41:18.0484 2856 Fips (7a5372b054c633302f2ce08236d82d64) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/03 11:41:18.0484 2856 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\fips.sys) error 1813
2011/08/03 11:41:25.0703 2856 Backup copy found, using it..
2011/08/03 11:41:25.0718 2856 C:\WINDOWS\system32\drivers\Fips.sys - will be cured after reboot
2011/08/03 11:41:25.0718 2856 Rootkit.Win32.ZAccess.e(Fips) - User select action: Cure
2011/08/03 11:41:25.0812 2856 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/08/03 11:41:25.0812 2856 \Device\Harddisk0\DR0 - ok
2011/08/03 11:41:25.0812 2856 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/08/03 11:41:44.0343 3720 Deinitialize success

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-03 11:56:27
-----------------------------
11:56:27.843 OS Version: Windows 5.1.2600 Service Pack 3
11:56:27.843 Number of processors: 1 586 0x207
11:56:27.843 ComputerName: WALLABY UserName: august
11:56:28.171 Initialize success
12:01:19.640 AVAST engine defs: 11080301
12:04:50.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:04:50.625 Disk 0 Vendor: WDC_WD2500JB-32FUA0 15.05R15 Size: 238475MB BusType: 3
12:04:52.625 Disk 0 MBR read successfully
12:04:52.625 Disk 0 MBR scan
12:04:52.671 Disk 0 Windows XP default MBR code
12:04:52.687 Disk 0 scanning sectors +488392065
12:04:52.765 Disk 0 scanning C:\WINDOWS\system32\drivers
12:05:05.015 Service scanning
12:05:06.218 Modules scanning
12:05:11.015 Disk 0 trace - called modules:
12:05:11.046 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:05:11.046 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83b46ab8]
12:05:11.046 3 CLASSPNP.SYS[f75a3fd7] -> nt!IofCallDriver -> \Device\00000061[0x83b4a168]
12:05:11.046 5 ACPI.sys[f7505620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83b4d940]
12:05:11.468 AVAST engine scan C:\WINDOWS
12:05:18.968 AVAST engine scan C:\WINDOWS\system32
12:05:52.781 File: C:\WINDOWS\system32\HPZipm12.exe **INFECTED** Win32:Patched-WQ [Trj]
12:06:53.750 File: C:\WINDOWS\system32\nvsvc32.exe **INFECTED** Win32:Patched-WQ [Trj]
12:07:52.921 AVAST engine scan C:\WINDOWS\system32\drivers
12:08:12.187 AVAST engine scan C:\Documents and Settings\august
12:17:25.796 AVAST engine scan C:\Documents and Settings\All Users
12:17:55.218 Scan finished successfully
12:18:42.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\august\Desktop\MBR.dat"
12:18:42.000 The log file has been saved successfully to "C:\Documents and Settings\august\Desktop\aswMBR2.txt"


Computer function: It's better! It runs much faster, back up to its normal speed. However, I still cannot open my one remaing anti-malware program SuperAntiSpyware. Any attempt to do so still generates the previous access denied message. I still cannot unistall/delete it either. Windows Securtiy Center still shows Protection Control Center as being on. Additionally, a number of my programs are hidden, some folders are shown as empty although the programs are still on the machine.

Thank you for your continuing efforts, this thing is stubborn. :)

#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 03 August 2011 - 03:20 PM

Ah, progress!

Additionally, a number of my programs are hidden, some folders are shown as empty although the programs are still on the machine.

Could you please elaborate on this?

Let's continue with some more steps.


Step 1.
Filescans:

Please go to: VirusTotal

  • On the page you'll find a Browse - button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

    C:\WINDOWS\system32\HPZipm12.exe

  • Next, click the Open button.
  • Then click the Send File - button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


Please repeat for the following file:

C:\WINDOWS\system32\nvsvc32.exe



Step 2.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Folder::
c:\windows\$NtUninstallKB15773$

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3.
MBAM:

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 4.
Things I would like to see in your reply:

  • Answer to my request in the beginning of this post.
  • The two links to the results from the filescans in step 1.
  • The content of C:\ComboFix.txt from step 2.
  • The content of the log from MBAM in step 3.
  • Information on how your computer is running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#11 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:10 PM

Posted 03 August 2011 - 04:59 PM

I'm so glad there is progress!

1. Answer to your request at beginning of your post: Most of my commonly used programs are pinned to the Start Menu, and I open them from there. But this afternoon, I wanted to open a different program and I discovered this problem. When I scrolled over the All Programs list that is accessible from the bottom of the Start Menu, I found that while my programs are all still listed, some of the folders they are in are shown as "empty." I searched for several programs, and they are still on the computer and can be opened from search results. About half of the all the programs are shown as "empty." They seem to be hidden somehow, but not deleted.


2. Links to results from filescans: http://www.virustotal.com/file-scan/report.html?id=8c0f857cc3e48e04a48d9cee64dc83a8c1215ed42100034cc2fab63ab3167e88-1312403610
http://www.virustotal.com/file-scan/report.html?id=d87188fbaca942709abfd695b473caf0d5b0d4c393c2af3e3b8eb41d8f1f3d8e-1312404028

3. Content of CombFix:

ComboFix 11-08-03.03 - august 08/03/2011 13:57:13.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.353 [GMT -7:00]
Running from: c:\documents and settings\august\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\august\Desktop\CFScript.txt
AV: Protection Control Center *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Protection Control Center *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB15773$
.
.
((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))
.
.
2011-07-30 00:18 . 2011-07-30 00:18 -------- d-----w- c:\documents and settings\august\Application Data\ElevatedDiagnostics
2011-07-29 04:40 . 2011-07-29 04:40 -------- d-----w- c:\documents and settings\august\Local Settings\Application Data\Solid State Networks
2011-07-29 04:34 . 2011-07-29 04:34 -------- d-----w- c:\program files\Common Files\Java
2011-07-29 04:33 . 2011-07-29 04:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-16 17:40 . 2011-07-16 17:40 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-03 18:42 . 2010-06-04 19:12 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-07-29 04:33 . 2010-05-02 21:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-06 21:39 . 2011-06-18 12:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-03_15.30.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-03 19:28 . 2011-08-03 19:28 16384 c:\windows\Temp\Perflib_Perfdata_98.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2007-06-14 323584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2004-03-11 406016]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-20 583016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\august\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-11 110592]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 02:34 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\DSLog.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\SYSTEM32\\msfeedssync.exe"=
"c:\\Program Files\\TeleChart\\TeleChart.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\AnvSoft\\Any Video Converter\\VideoConverter.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
"c:\\Documents and Settings\\august\\My Documents\\Downloads\\MicrosoftFixit.WinSecurity.Run.exe"=
"c:\\Program Files\\TurboTax\\Deluxe 2008\\32bit\\Turbotax.exe"=
"c:\\Documents and Settings\\august\\My Documents\\Downloads\\aswMBR.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
S2 gupdate1ca09ca969da2fc;Google Update Service (gupdate1ca09ca969da2fc);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 PINNMB;MovieBox USB_B;c:\windows\SYSTEM32\DRIVERS\pinnmb.sys [11/28/2004 3:54 PM 31923]
S2 WindowsGame;Windows_Down;c:\windows\system32\Game.exe --> c:\windows\system32\Game.exe [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\SYSTEM32\DRIVERS\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;\??\c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys --> c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-03 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2008-07-29 04:55]
.
2011-08-03 c:\windows\Tasks\User_Feed_Synchronization-{B865B05B-D27E-44CB-BB53-551AF3161739}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.altavista.com/web/iepane?itag=ody&hl=off&fr=ieas&q={searchTerms}
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
Trusted Zone: tdameritrade.com\www
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\august\Application Data\Mozilla\Firefox\Profiles\ojl5k5yz.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-06495490.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-03 14:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???`???X??? ???????`???P???? ?w? ?w)??p????????(???}????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3240)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-08-03 14:11:28
ComboFix-quarantined-files.txt 2011-08-03 21:11
ComboFix2.txt 2011-08-03 18:27
ComboFix3.txt 2011-08-03 15:37
.
Pre-Run: 14,439,247,872 bytes free
Post-Run: 14,507,728,896 bytes free
.
- - End Of File - - 52E26A2F3830161D6A7B2898FCC46D96



4. Contents of MBAM log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7367

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2011 2:28:13 PM
mbam-log-2011-08-03 (14-28-13).txt

Scan type: Quick scan
Objects scanned: 189087
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


5. How computer is running: It's still fast, and the fresh new version of Malwarebytes I downloaded just now has worked. Hurray! That's the first time one of the anti-malware programs has successfully opened and completed a scan since the day of the infection (Wednesday July 27). Otherwise, the computer is unchanged from my last post.

#12 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 03 August 2011 - 05:31 PM

There are still work to do here.

Those files we scanned at VirusTotal are patched legit files that we need to find replacements for.
If that's not possible you might need to reinstall the software related to them (HP image Zone and Nvidia display driver)

Let's see if we can find replacements for them first.



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    HPZipm12.*
    nvsvc32.*
    Game.*
    RaInfo.*
    :dir
    C:\Program Files\
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


It's late here (past midnight) I'll review the results and get back to you tomorrow.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#13 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:10 PM

Posted 03 August 2011 - 05:42 PM

Thank you for all the trouble you are going to on my behalf. I truly appreciate it. Sleep well! :)

SystemLook 30.07.11 by jpshortstuff
Log created at 15:37 on 03/08/2011 by august
Administrator - Elevation successful

========== filefind ==========

Searching for "HPZipm12.*"
C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\drivers\dot4\win2000\hpzipm12.exe -ra---- 65795 bytes [05:54 18/05/2005] [05:45 14/05/2003] 5C1CADD1CB67C0B9D8A84EC6E4D6B5CC
C:\WINDOWS\Prefetch\HPZIPM12.EXE-02312CF9.pf --a---- 12204 bytes [17:38 07/06/2010] [18:23 03/08/2011] F4948EF0BE73230DA16BD6124DA40151
C:\WINDOWS\SYSTEM32\HPZipm12.exe --a---- 65536 bytes [05:52 18/05/2005] [23:55 18/03/2004] 61317C7333F3EC4E4AF26E9116DBA3AA

Searching for "nvsvc32.*"
C:\NVIDIA\Win2k\178.24\English\nvsvc32.ex_ --a---- 89576 bytes [21:33 07/10/2008] [21:33 07/10/2008] D14497C962CA44A13A7E1F9C9C892C66
C:\NVIDIA\Win2KXP\162.18\nvsvc32.ex_ --a---- 85649 bytes [07:43 29/06/2007] [07:43 29/06/2007] 6A053B3DCF281804EC89BEC56982A0A1
C:\NVIDIA\Win2KXP\81.95\nvsvc32.ex_ --a---- 77313 bytes [20:47 11/11/2005] [20:47 11/11/2005] 82795E6F91395ACAAE98356632043E51
C:\WINDOWS\SYSTEM32\nvsvc32.exe --a---- 154216 bytes [02:23 04/04/2010] [02:23 04/04/2010] 43631B16CD10147E15605314A7CA56C4
C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\nvsvc32.exe --a---- 163908 bytes [16:50 06/06/2010] [21:33 07/10/2008] 42321AC5448078131903B272E6C49024

Searching for "Game.*"
No files found.

Searching for "RaInfo.*"
No files found.

========== dir ==========

C:\Program Files - Parameters: "(none)"

---Files---
profiler.txt --a---- 2830 bytes [03:45 10/01/2008] [03:57 10/01/2008]

---Folders---
7-Zip d------ [16:58 03/05/2011]
Adobe d------ [18:56 07/12/2003]
Ahead d------ [21:50 31/12/2005]
Akamai d------ [03:31 13/01/2008]
Amazon d------ [05:57 14/02/2008]
AnvSoft d------ [20:16 31/01/2010]
Apple Software Update d------ [03:40 20/02/2011]
ArcSoft d------ [04:15 08/04/2008]
Britannica d------ [20:23 16/04/2003]
Canon d------ [04:09 08/04/2008]
CanonBJ d------ [04:13 08/04/2008]
Carambis d------ [05:53 12/11/2009]
CCleaner d------ [04:37 08/06/2010]
City Interactive d------ [07:00 12/01/2008]
Common Files d------ [19:52 16/04/2003]
ComPlus Applications d------ [19:52 16/04/2003]
Compton's NewMedia d------ [06:46 05/10/2003]
DeductionPro 2008 d------ [23:11 11/04/2009]
Dell d------ [20:15 16/04/2003]
Dell Computer d------ [20:22 16/04/2003]
DellConnect d------ [20:33 22/07/2007]
Digital Line Detect d------ [20:20 16/04/2003]
directx d------ [06:21 10/03/2004]
Doom 3 d------ [05:12 17/08/2004]
Doom II for Windows 95 d------ [22:25 09/10/2005]
EarthLink d------ [06:47 11/06/2007]
EarthLink 5.0 d------ [06:38 24/04/2003]
EarthLink TotalAccess d------ [03:07 30/04/2003]
eGames d------ [02:19 02/11/2004]
Executive Software d------ [18:40 23/04/2003]
FreeRIP3 d------ [04:45 13/11/2009]
Google d------ [06:12 21/07/2009]
Groove Games d------ [06:19 10/03/2004]
Hewlett-Packard d------ [05:53 18/05/2005]
HP d------ [05:57 18/05/2005]
InstallShield Installation Information d------ [20:19 16/04/2003]
instant messenger d------ [06:46 24/04/2003]
InterActual d------ [05:34 23/07/2006]
Internet Explorer d------ [19:52 16/04/2003]
Intuit d------ [01:33 23/01/2004]
ItsDeductible2005 d------ [23:02 05/01/2006]
ItsDeductibleEX d------ [00:29 04/02/2005]
Jasc Software Inc d------ [20:22 16/04/2003]
Java d------ [02:57 04/01/2006]
KellySoftware d------ [15:29 24/06/2010]
LogMeIn d------ [01:23 04/06/2010]
Malwarebytes' Anti-Malware d------ [21:22 03/08/2011]
McAfee.com d------ [20:28 16/04/2003]
Messenger d------ [19:52 16/04/2003]
MFInstall d------ [22:18 18/01/2011]
Microsoft Agent d------ [17:29 31/12/2003]
microsoft frontpage d------ [19:52 16/04/2003]
Microsoft Office d------ [18:51 23/04/2003]
Microsoft Reference d------ [06:54 05/10/2003]
Microsoft Silverlight d------ [17:40 16/07/2011]
Microsoft WSE d------ [08:50 28/07/2007]
Microsoft(2).NET d------ [20:46 29/07/2007]
Modem Helper d------ [20:20 16/04/2003]
Moraff's Maximum MahJongg, Volume 3 d------ [02:42 03/11/2004]
Movie Maker d------ [19:52 16/04/2003]
Mozilla Firefox d------ [22:13 01/06/2008]
MSBuild d------ [07:49 05/06/2010]
MSN d------ [19:52 16/04/2003]
MSN Gaming Zone d------ [19:52 16/04/2003]
MSXML 4.0 d------ [07:36 28/11/2006]
MSXML 6.0 d------ [00:15 12/06/2009]
MUSICMATCH d------ [20:28 16/04/2003]
National Instruments d------ [00:57 15/04/2008]
NetMeeting d------ [19:52 16/04/2003]
NewSoft d------ [04:19 08/04/2008]
nicheMANDELBROTSaver d------ [19:55 11/05/2009]
Norton AntiVirus d------ [18:43 23/04/2003]
NovaStor d------ [07:08 28/11/2004]
NVIDIA Corporation d------ [17:08 18/01/2006]
Online Services d------ [19:52 16/04/2003]
Outlook Express d------ [19:52 16/04/2003]
Overland d------ [18:55 06/06/2008]
Parsons Technology d------ [02:40 08/07/2006]
Pinnacle d------ [04:10 21/11/2004]
PIXELA d------ [04:08 21/01/2004]
QUICKENW d------ [20:22 16/04/2003]
QuickTime d------ [03:43 20/02/2011]
Real d------ [20:29 16/04/2003]
Reference Assemblies d------ [07:49 05/06/2010]
Return to Castle Wolfenstein d------ [07:06 26/04/2003]
Return to Castle Wolfenstein - Platinum Edition d------ [17:10 31/10/2003]
Safer Networking d------ [03:32 18/05/2011]
SBITPlugin d------ [14:16 30/12/2004]
ScanSoft d------ [04:17 08/04/2008]
Snapshot Viewer d------ [19:00 23/04/2003]
Sony d------ [00:14 12/06/2009]
Spybot - Search & Destroy d------ [01:40 04/06/2010]
SUPERAntiSpyware d------ [22:09 25/07/2008]
TaxCut Business 2008 d------ [23:09 11/04/2009]
TaxCut08 d------ [20:14 11/04/2009]
TC2000 d------ [06:00 26/04/2003]
TeleChart d------ [21:58 30/03/2005]
Trend Micro d------ [03:02 09/02/2011]
TurboTax d------ [01:32 23/01/2004]
TurnTool d------ [06:22 14/08/2007]
Uninstall Information d------ [19:52 16/04/2003]
Viewpoint d------ [20:29 16/04/2003]
Virtual Engine 2000 d------ [01:27 03/06/2011]
Webroot d------ [07:09 31/12/2003]
Western Digital Technologies d------ [23:02 08/01/2008]
Windows Media Components d------ [07:03 28/11/2004]
Windows Media Connect 2 d------ [00:33 16/06/2007]
Windows Media Player d------ [19:52 16/04/2003]
Windows NT d------ [19:52 16/04/2003]
WindowsUpdate d------ [19:52 16/04/2003]
Wolfenstein - Enemy Territory d------ [16:53 31/10/2003]
XEROX d------ [19:52 16/04/2003]
Yahoo! d------ [23:35 26/07/2007]

-= EOF =-

#14 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 04 August 2011 - 03:11 AM

We need to find the correct replacement for those files. For that we need to collect some more information.
We'll also do a scan with an online scanner. Do NOT let it remove anything!

Step 1.
CFSCript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

KillAll::
SRPeek::
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2.
Systemlook:


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :file
    C:\WINDOWS\SYSTEM32\nvsvc32.exe
    C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\nvsvc32.exe
    C:\WINDOWS\SYSTEM32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\drivers\dot4\win2000\hpzipm12.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Step 3.
OTL-scan:


  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Underneath the option Extra Registry change it to Use SafeList.
  • Underneath the option File Scans set the File Age to 30 Days
  • Underneath the option File Scans check the boxes beside Use Company Name WhiteList, Skip Microsoft Files, Use No-Company Name WhiteList, LOP Check, Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    drivers32
    dir "C:\Program Files" /A:H /S /C

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. I case OTL.txt wont fit into one post you can attach the file instead.


Step 4.
ESET Online Scanner:

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked <<<--- IMPORTANT
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Step 5.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.
  • The content of SystemLook.txt fromn step 2.
  • The content of Extras.txt from OTL in step 3.
  • The content of OTL.txt from OTL in step 3. (pasted or attached)
  • The content of the report from ESET Online Scanner in step 4.

Edited by heir, 04 August 2011 - 04:30 AM.
typo

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#15 Ballerina

Ballerina
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:10 PM

Posted 04 August 2011 - 02:31 PM

All scans worked well. Here are the results.


1. Content of C:\ComboFix.txt

ComboFix 11-08-04.01 - august 08/04/2011 9:21.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.464 [GMT -7:00]
Running from: c:\documents and settings\august\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\august\Desktop\CFScript.txt
AV: Protection Control Center *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Protection Control Center *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))
.
.
2011-08-03 21:22 . 2011-08-03 21:22 -------- d-----w- c:\documents and settings\august\Application Data\Malwarebytes
2011-08-03 21:22 . 2011-08-03 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-03 21:22 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-03 21:22 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-03 21:22 . 2011-08-03 21:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-30 00:18 . 2011-07-30 00:18 -------- d-----w- c:\documents and settings\august\Application Data\ElevatedDiagnostics
2011-07-29 04:40 . 2011-07-29 04:40 -------- d-----w- c:\documents and settings\august\Local Settings\Application Data\Solid State Networks
2011-07-29 04:34 . 2011-07-29 04:34 -------- d-----w- c:\program files\Common Files\Java
2011-07-29 04:33 . 2011-07-29 04:33 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-16 17:40 . 2011-07-16 17:40 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-03 18:42 . 2010-06-04 19:12 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-07-29 04:33 . 2010-05-02 21:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-06 21:39 . 2011-06-18 12:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
((((((((((((((((((((((((((((( SnapShot@2011-08-03_15.30.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-04 16:33 . 2011-08-04 16:34 16384 c:\windows\temp\Perflib_Perfdata_5ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2007-06-14 323584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2004-03-11 406016]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2002-08-29 44032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-20 583016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\august\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-11 110592]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 02:34 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"=
"c:\\Program Files\\Common Files\\Dell\\EUSW\\DSLog.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\SYSTEM32\\msfeedssync.exe"=
"c:\\Program Files\\TeleChart\\TeleChart.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\AnvSoft\\Any Video Converter\\VideoConverter.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Windows Media Player\\setup_wm.exe"=
"c:\\Documents and Settings\\august\\My Documents\\Downloads\\MicrosoftFixit.WinSecurity.Run.exe"=
"c:\\Program Files\\TurboTax\\Deluxe 2008\\32bit\\Turbotax.exe"=
"c:\\Documents and Settings\\august\\My Documents\\Downloads\\aswMBR.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
S2 gupdate1ca09ca969da2fc;Google Update Service (gupdate1ca09ca969da2fc);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
S2 PINNMB;MovieBox USB_B;c:\windows\SYSTEM32\DRIVERS\pinnmb.sys [11/28/2004 3:54 PM 31923]
S2 WindowsGame;Windows_Down;c:\windows\system32\Game.exe --> c:\windows\system32\Game.exe [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\SYSTEM32\DRIVERS\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;\??\c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys --> c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 11:15 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 06:14]
.
2011-08-04 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2008-07-29 04:55]
.
2011-08-04 c:\windows\Tasks\User_Feed_Synchronization-{B865B05B-D27E-44CB-BB53-551AF3161739}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.altavista.com/web/iepane?itag=ody&hl=off&fr=ieas&q={searchTerms}
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
Trusted Zone: ameritrade.com
Trusted Zone: ameritrade.com\wwws
Trusted Zone: tdameritrade.com
Trusted Zone: tdameritrade.com\www
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\august\Application Data\Mozilla\Firefox\Profiles\ojl5k5yz.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-04 09:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??????x???`???X??? ???????`???P???? ?w? ?w)??p????????(???}????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3412)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Executive Software\DiskeeperWorkstation\DKService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\BCMSMMSG.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\wbem\wmiapsrv.exe
c:\windows\system32\ssmypics.scr
.
**************************************************************************
.
Completion time: 2011-08-04 09:40:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-04 16:39
ComboFix2.txt 2011-08-03 21:11
ComboFix3.txt 2011-08-03 18:27
ComboFix4.txt 2011-08-03 15:37
.
Pre-Run: 14,482,448,384 bytes free
Post-Run: 14,464,348,160 bytes free
.
- - End Of File - - 83641E7264E474D65BEFE99866F3A633





2. Content of SystemLook.txt

SystemLook 30.07.11 by jpshortstuff
Log created at 09:45 on 04/08/2011 by august
Administrator - Elevation successful

========== file ==========

C:\WINDOWS\SYSTEM32\nvsvc32.exe - File found and opened.
MD5: 43631B16CD10147E15605314A7CA56C4
Created at 02:23 on 04/04/2010
Modified at 02:23 on 04/04/2010
Size: 154216 bytes
Attributes: --a----
FileDescription: NVIDIA Driver Helper Service, Version 197.45
FileVersion: 4.00.1381.9745
ProductVersion: 4.00.1381.9745
OriginalFilename: nvsvc32.exe
InternalName: NVSVC
ProductName: NVIDIA Driver Helper Service, Version 197.45
CompanyName: NVIDIA Corporation
LegalCopyright: © NVIDIA Corporation. All rights reserved.

C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\nvsvc32.exe - File found and opened.
MD5: 42321AC5448078131903B272E6C49024
Created at 16:50 on 06/06/2010
Modified at 21:33 on 07/10/2008
Size: 163908 bytes
Attributes: --a----
FileDescription: NVIDIA Driver Helper Service, Version 178.24
FileVersion: 6.14.11.7824
ProductVersion: 6.14.11.7824
OriginalFilename: nvsvc32.exe
InternalName: NVSVC
ProductName: NVIDIA Driver Helper Service, Version 178.24
CompanyName: NVIDIA Corporation
LegalCopyright: © NVIDIA Corporation. All rights reserved.

C:\WINDOWS\SYSTEM32\HPZipm12.exe - File found and opened.
MD5: 61317C7333F3EC4E4AF26E9116DBA3AA
Created at 05:52 on 18/05/2005
Modified at 23:55 on 18/03/2004
Size: 65536 bytes
Attributes: --a----
FileDescription: PML Driver
FileVersion: 8, 0, 0, 0
ProductVersion: 8, 0, 0, 0
OriginalFilename: PmlDrv.exe
InternalName: PmlDrv
ProductName: HP PML
CompanyName: HP
LegalCopyright: Copyright 1998, 1999 Hewlett-Packard Company
Comments:

C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\drivers\dot4\win2000\hpzipm12.exe - File found and opened.
MD5: 5C1CADD1CB67C0B9D8A84EC6E4D6B5CC
Created at 05:54 on 18/05/2005
Modified at 05:45 on 14/05/2003
Size: 65795 bytes
Attributes: -ra----
FileDescription: PML Driver
FileVersion: 7, 0, 0, 0
ProductVersion: 7, 0, 0, 0
OriginalFilename: PmlDrv.exe
InternalName: PmlDrv
ProductName: HP PML
CompanyName: HP
LegalCopyright: Copyright 1998, 1999 Hewlett-Packard Company
Comments:

-= EOF =-





3. Content of Extras.txt

OTL Extras logfile created on: 8/4/2011 9:57:21 AM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\august\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.48 Mb Total Physical Memory | 469.79 Mb Available Physical Memory | 61.29% Memory free
4.61 Gb Paging File | 4.39 Gb Available in Paging File | 95.25% Paging File free
Paging file location(s): c:\pagefile.sys 3999 4068 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 13.51 Gb Free Space | 24.18% Space Free | Partition Type: NTFS
Drive F: | 177.01 Gb Total Space | 130.56 Gb Free Space | 73.76% Space Free | Partition Type: NTFS

Computer Name: WALLABY | User Name: august | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirstRunDisabled" = 1
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0
"UPDATESDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"8097:TCP" = 8097:TCP:*:Enabled:EarthLink UHP Modem Support

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:TaskPanl -- (EarthLink, Inc.)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Return to Castle Wolfenstein\WolfMP.exe" = C:\Program Files\Return to Castle Wolfenstein\WolfMP.exe:*:Disabled:WolfMP -- ()
"C:\WINDOWS\SYSTEM32\fxsclnt.exe" = C:\WINDOWS\SYSTEM32\fxsclnt.exe:*:Disabled:Microsoft Fax Console -- (Microsoft Corporation)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Basic 2006\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Basic 2006\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Common Files\Dell\EUSW\Support.exe" = C:\Program Files\Common Files\Dell\EUSW\Support.exe:*:Enabled:Support -- (Dell)
"C:\Program Files\Common Files\Dell\EUSW\DSLog.exe" = C:\Program Files\Common Files\Dell\EUSW\DSLog.exe:*:Enabled:DSLog -- (Dell)
"C:\WINDOWS\SYSTEM32\msfeedssync.exe" = C:\WINDOWS\SYSTEM32\msfeedssync.exe:*:Enabled:Microsoft Feeds Synchronization -- (Microsoft Corporation)
"C:\Program Files\TeleChart\TeleChart.exe" = C:\Program Files\TeleChart\TeleChart.exe:*:Enabled:TCNet -- (Worden Brothers Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe" = C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe:*:Enabled:Adobe Reader -- (Adobe Systems Incorporated)
"C:\Program Files\AnvSoft\Any Video Converter\VideoConverter.exe" = C:\Program Files\AnvSoft\Any Video Converter\VideoConverter.exe:*:Enabled:Any Video Converter -- (Any-Video-Converter.com)
"C:\Documents and Settings\august\My Documents\Downloads\MicrosoftFixit.WinSecurity.Run.exe" = C:\Documents and Settings\august\My Documents\Downloads\MicrosoftFixit.WinSecurity.Run.exe:*:Disabled:Microsoft Fix it -- (Microsoft Corporation)
"C:\Program Files\TurboTax\Deluxe 2008\32bit\Turbotax.exe" = C:\Program Files\TurboTax\Deluxe 2008\32bit\Turbotax.exe:*:Enabled:TurboTax -- (Intuit)
"C:\Documents and Settings\august\My Documents\Downloads\aswMBR.exe" = C:\Documents and Settings\august\My Documents\Downloads\aswMBR.exe:*:Enabled:avast! Antirootkit -- (AVAST Software)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{025C3792-E9C6-432A-92C1-661F99D021CA}" = Ulead Photo Explorer 8.5 SE
"{0431E90A-E4AA-4B12-9863-7B2AF2432C18}" = CalMap Gen 7+ DEMO
"{07982F29-C7D6-423F-A100-C0FC67D0EC2F}" = EarthLink Wireless High Speed
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0F429FF7-8C47-40D7-AF6F-D8B090233D04}" = Image Data Converter SR
"{1047DCFF-70A3-4D75-9E23-28165F82E2CB}" = Custom Info
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4805" = CanoScan 8800F
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{13FC7B28-A757-4E4B-A25B-9D0078518893}" = Virtual Engine Calculator Advanced
"{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert
"{16F0EE77-B2B1-4417-A8CC-07E06C78CCC4}" = Matrix-ks
"{180D45DA-5140-48D4-BDEA-8B9CE3A6D9A4}" = TurboTax 2008 WinBizTaxSupport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21177CCC-03F8-420C-8047-37894DE92548}" = DiskeeperWorkstation
"{25F9791C-B446-462D-BDC6-F95BCBB81851}" = EarthLink Spyware Blocker
"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java™ 6 Update 26
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2F72E05E-2371-4C05-9091-B643A9456267}" = EarthLink Setup
"{3454F318-1008-46A9-A1F5-69C5F8AB3BCF}" = Deal Info
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{40939C6D-8F27-40B8-9CBC-72701624185D}" = Redistributed Files
"{412033BC-44CF-48D9-B813-4B835101F4D3}" = Adobe Illustrator 10
"{43FCA273-9534-40DB-B7C5-D7758875616A}" = Dell Support
"{45893FEB-30FD-4034-8661-3BA4238FE67A}" = Britannica Ready Reference
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AEBD86C-C82E-401A-9AA0-8B8AF7A5A3CA}" = TurboTax 2008 WinBizFedFormset
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.2
"{50915408-4940-4C36-B4CC-0D9944FA4C59}" = EarthLink FastLane
"{5160574C-D8A9-4BF9-A01C-3518BAFC5492}" = EarthLink MSXML
"{517B8FB2-26EE-43B0-AE1B-07408860AA69}" = DigitImg
"{52D56C42-8C69-4882-A661-39695537C9CF}" = DellConnect
"{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{54DD126C-E5F5-404C-B4B7-66DF7FD4F2FF}" = MSSoap
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{56D4C8A0-6126-11DD-AD8B-0800200C9A66}" = TurboTax 2008 WinBizUserEducation
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{624D19C3-D55D-4368-BC10-9B53036D8358}" = HP Driver Diagnostics
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{64116298-93C5-401D-B06C-39D8E3338508}" = DAO
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}" = overland
"{7797C70B-11EB-446A-9B1E-3D9039DB581F}" = TotalAccess Core Applications
"{77F9D52A-C8D7-4FE8-8510-19FC6CF75BC3}" = Access Drivers
"{7BBDFB3E-F8BE-4D52-98BA-B6087F8F1D58}" = PS7700
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{83670AE5-73B8-49E0-933E-954987391587}" = EarthLink Update Manager
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8F899627-1EA1-484D-91EA-7B22C05358DB}" = TeleChart 2005
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{9C6C2BE2-C88D-469F-8649-ACAB2A5518B1}" = Deal Info
"{9E491AB7-4589-48CA-9CBB-874CB2788391}" = Studio 9
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A49003A7-ED5E-4C21-809C-FB45958FE4BE}" = NetObjects Fusion 8
"{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1" = RunAlyzer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2F3DBD9-A9D2-4838-B45D-C917DAB32BC3}" = ScanSoft OmniPage SE 4
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B67624DE-75CE-4FAD-9F29-5C115773CE61}" = Studio 9 Content CD/DVD
"{B6C2466E-D773-4EF5-9350-9D3D68F668BE}" = TurboTax 2008 WinBizProgramHelp
"{B700113B-24A8-4D4C-8484-0CC944F764C8}" = Google SketchUp 8
"{B8C2A83F-20B0-49D9-BA2B-6495DD8639ED}" = EarthLink Toolbar
"{C057F6D0-0E4C-4B18-B645-9D0804FCFAFD}" = EarthLink Common Authentication
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCFFC1DA-7A65-4C1B-98DC-3F7861F50254}" = TurboTax 2008 wrapper
"{CD1CD48D-7B18-4254-B43D-AEAB704AB063}" = EarthLink MailBox
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFADE4AF-C0CF-4A04-A776-741318F1658F}" = Content Transfer
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{D777D80E-13AE-4E6C-BCB2-9AEE10D9DEF1}" = Driver Updater
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DBDB8C5A-E0B9-4C10-A649-59D962E3A07F}" = EarthLink Webspace
"{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}" = HP Software Update
"{DE2EBD6F-81B6-4E9A-B137-C11FD6790CFF}" = PSShortcutsP
"{E0343A4C-2FFD-4CCB-B0EB-5DE9F0E2A083}" = LS_HSI
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EFE26D3B-2789-4068-A5BB-77E389FAEB98}" = PSUsage
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F8D8A515-3D81-431D-BCBB-9EBA3CFE0987}" = TurboTax 2008 WinBizReleaseEngine
"{F91E1833-2D7C-4725-B98A-C779FEC41946}" = EarthLink MDAC
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.2
"Any Video Converter_is1" = Any Video Converter 3.2.3
"Atomic Clock 4.0 for Windows 95/NT" = Atomic Clock 4.0 for Windows 95/NT
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"Compton's Interactive Encyclopedia 1996" = Compton's Interactive Encyclopedia 1996
"Deutz Engine" = Deutz Engine
"Dyno2000 Version 3.10" = Dyno2000 Version 3.10
"EarthLink TotalAccess 2004" = EarthLink Software
"Encarta96" = Microsoft Encarta 96 Encyclopedia
"Family Origins 8.0" = Family Origins 8.0
"Free RAR Extract Frog" = Free RAR Extract Frog
"Hollywood FX" = Pinnacle Hollywood FX
"Hollywood FX 5.5 Additional Effects" = Hollywood FX 5.5 Additional Effects
"Hollywood FX Pack 26 - Extra FX" = Hollywood FX Pack 26 - Extra FX
"hp instant support" = hp instant support
"ie8" = Windows Internet Explorer 8
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"MACK MP7 Assembly Screen Saver" = MACK MP7 Assembly Screen Saver
"MAGIX Media Manager 2004 silver" = MAGIX Media Manager 2004 silver
"MAGIX Movie Edit Pro 10" = MAGIX Movie Edit Pro 10
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Mozilla Firefox (3.6.18)" = Mozilla Firefox (3.6.18)
"MP Navigator EX 1.0" = Canon MP Navigator EX 1.0
"MUSICMATCH Jukebox" = MUSICMATCH Jukebox
"MWASPI" = MicroStaff WINASPI
"nicheMandelbrot Saver" = nicheMandelbrot Saver 1.0
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"RealPlayer 6.0" = RealPlayer Basic
"Return to Castle Wolfenstein" = Return to Castle Wolfenstein
"TeleChart" = TeleChart
"TeleChart 2000" = TeleChart 2000
"TruVoice" = Lernout & Hauspie TruVoice for Microsoft Agent
"TurboTax 2008" = TurboTax 2008
"TurboTax Basic 2003" = TurboTax Basic 2003
"TurboTax Basic 2005" = TurboTax Basic 2005
"TurboTax Basic 2006" = TurboTax Basic 2006
"TurboTax Basic 2007" = TurboTax Basic 2007
"TurboTax Business 2008" = TurboTax Business 2008
"TurboTax Deluxe 2004" = TurboTax Deluxe 2004
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Confidence Online" = Confidence Online Portal Edition for Ameritrade
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/3/2011 2:43:07 PM | Computer Name = WALLABY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 8/3/2011 3:27:58 PM | Computer Name = WALLABY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 8/3/2011 5:02:22 PM | Computer Name = WALLABY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/3/2011 5:02:22 PM | Computer Name = WALLABY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/3/2011 5:02:22 PM | Computer Name = WALLABY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 8/4/2011 12:26:52 PM | Computer Name = WALLABY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/4/2011 12:26:52 PM | Computer Name = WALLABY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/4/2011 12:26:54 PM | Computer Name = WALLABY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 8/4/2011 12:37:56 PM | Computer Name = WALLABY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/4/2011 12:37:56 PM | Computer Name = WALLABY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

[ System Events ]
Error - 8/4/2011 12:21:12 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7034
Description = The Windows User Mode Driver Framework service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/4/2011 12:21:12 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/4/2011 12:21:12 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/4/2011 12:21:12 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7034
Description = The EarthLink Monitor Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 8/4/2011 12:21:12 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/4/2011 12:21:12 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7034
Description = The Diskeeper service terminated unexpectedly. It has done this 1
time(s).

Error - 8/4/2011 12:21:12 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7034
Description = The Intuit Update Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 8/4/2011 12:34:04 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7000
Description = The MovieBox USB_B service failed to start due to the following error:
%%1058

Error - 8/4/2011 12:34:04 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7000
Description = The LogMeIn Kernel Information Provider service failed to start due
to the following error: %%3

Error - 8/4/2011 12:34:04 PM | Computer Name = WALLABY | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2


< End of report >





4. Content of OTL.txt

OTL logfile created on: 8/4/2011 9:57:21 AM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\august\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.48 Mb Total Physical Memory | 469.79 Mb Available Physical Memory | 61.29% Memory free
4.61 Gb Paging File | 4.39 Gb Available in Paging File | 95.25% Paging File free
Paging file location(s): c:\pagefile.sys 3999 4068 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 13.51 Gb Free Space | 24.18% Space Free | Partition Type: NTFS
Drive F: | 177.01 Gb Total Space | 130.56 Gb Free Space | 73.76% Space Free | Partition Type: NTFS

Computer Name: WALLABY | User Name: august | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/04 09:52:44 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\august\My Documents\Downloads\OTL.exe
PRC - [2009/11/19 18:15:46 | 000,583,016 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
PRC - [2008/10/10 05:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/14 10:25:22 | 000,323,584 | ---- | M] (Dell) -- C:\Program Files\Common Files\Dell\EUSW\Support.exe
PRC - [2007/02/04 12:02:14 | 000,079,400 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
PRC - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
PRC - [2003/12/05 15:41:44 | 000,049,152 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
PRC - [2003/10/07 17:20:18 | 000,352,256 | ---- | M] ( ) -- C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
PRC - [2002/04/25 12:49:56 | 000,258,048 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe


========== Modules (SafeList) ==========

MOD - [2011/08/04 09:52:44 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\august\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/02/05 09:29:04 | 000,139,264 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4\OpHookSE4.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (WindowsGame)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2008/10/10 05:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2005/01/26 11:47:42 | 000,065,604 | ---- | M] (Boingo Wireless, Inc.) [Auto | Running] -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe -- (EarthLinkMonitor)
SRV - [2004/03/18 16:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/04/25 12:49:56 | 000,258,048 | ---- | M] (Executive Software International, Inc.) [Auto | Running] -- C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe -- (Diskeeper)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/05/10 11:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/09/28 19:34:48 | 000,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2008/08/11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/06/06 12:28:22 | 000,043,672 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/11/01 14:16:34 | 000,017,536 | R--- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BW2NDIS5.SYS -- (BW2NDIS5)
DRV - [2004/08/03 22:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 22:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 22:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 22:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 22:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 22:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 22:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 22:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 22:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/03 22:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/03/29 05:06:24 | 000,090,464 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MarvinBus.sys -- (MarvinBus)
DRV - [2003/11/21 19:47:00 | 000,031,923 | ---- | M] (Cirrus Logic Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\pinnmb.sys -- (PINNMB)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BCMSM.sys -- (BCMModem)
DRV - [2003/04/16 13:29:44 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2003/01/15 12:45:06 | 000,042,368 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/07/19 08:22:08 | 000,017,153 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/03/19 11:29:16 | 000,014,165 | ---- | M] (Pinnacle Systems GmbH) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Pclepci.sys -- (PCLEPCI)
DRV - [2001/08/17 10:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = AltaVista
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.altavista.com/web/iepane?itag=ody&hl=off&fr=ieas&q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://search.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {71328583-3CA7-4809-B4BA-570A85818FBB}:0.6.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.1: C:\Documents and Settings\august\Application Data\Facebook\npfbplugin_1_0_1.dll ( )
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\august\Application Data\Facebook\npfbplugin_1_0_3.dll ( )

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/26 19:22:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/23 18:11:09 | 000,000,000 | ---D | M]

[2011/03/03 15:50:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\august\Application Data\Mozilla\Extensions
[2011/07/28 22:13:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\august\Application Data\Mozilla\Firefox\Profiles\ojl5k5yz.default\extensions
[2011/07/28 22:13:39 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\august\Application Data\Mozilla\Firefox\Profiles\ojl5k5yz.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/10 11:52:53 | 000,000,000 | ---D | M] (CacheViewer) -- C:\Documents and Settings\august\Application Data\Mozilla\Firefox\Profiles\ojl5k5yz.default\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
[2011/07/28 22:13:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/02 14:39:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/02 14:48:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/03 08:39:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/07/28 21:33:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/07/28 21:33:35 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/07/28 21:33:34 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2005/12/05 22:31:00 | 000,114,688 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2011/02/28 19:27:19 | 000,001,919 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2011/08/04 09:33:45 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ElnkPubBHO Class) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPub.dll (EarthLink, Inc.)
O2 - BHO: (ElnkProtectionBHO Class) - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll (EarthLink, Inc.)
O2 - BHO: (ElnkLegacyUninstBHO Class) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll (EarthLink, Inc.)
O3 - HKLM\..\Toolbar: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
O4 - HKLM..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe (Dell)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\SYSTEM32\hphmon05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe ()
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\IME\IMKR6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe ()
O4 - Startup: C:\Documents and Settings\august\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: DisableCAD = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System: DisableTaskMgr = 1
O8 - Extra context menu item: EarthLink Google Search - C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll (EarthLink, Inc.)
O15 - HKCU\..Trusted Domains: ameritrade.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: ameritrade.com ([wwws] https in Trusted sites)
O15 - HKCU\..Trusted Domains: tdameritrade.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: tdameritrade.com ([www] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\Documents and Settings\august\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\august\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 11:36:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\SYSTEM32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\SYSTEM32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\vdrcodec.dll (Pinnacle Systems)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.MJPG - C:\WINDOWS\System32\pvmjpg21.dll (Pegasus Imaging Corporation)
Drivers32: VIDC.PIM1 - C:\WINDOWS\System32\pclepim1.dll (Pinnacle Systems)
Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)
Drivers32: wave - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/08/04 09:32:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/08/04 00:24:41 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\august\Recent
[2011/08/03 14:22:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\august\Application Data\Malwarebytes
[2011/08/03 14:22:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/03 14:22:29 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/08/03 14:22:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/08/03 14:22:25 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/03 14:22:24 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/08/03 10:46:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\august\My Documents\Logs of Malwarebytes
[2011/08/03 08:03:37 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/08/03 07:49:35 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/08/03 07:46:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/08/03 07:46:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/08/03 07:46:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/08/03 07:44:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/08/03 00:12:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/08/03 00:10:51 | 004,163,947 | R--- | C] (Swearware) -- C:\Documents and Settings\august\Desktop\ComboFix.exe
[2011/07/29 17:26:08 | 001,404,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\august\Desktop\TDSSKiller.exe
[2011/07/29 17:18:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\august\Application Data\ElevatedDiagnostics
[2011/07/29 17:16:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
[2011/07/29 17:16:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2011/07/28 21:40:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\august\Local Settings\Application Data\Solid State Networks
[2011/07/28 21:34:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/07/16 10:40:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/07/16 10:40:52 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/07/10 20:38:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[23 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/04 09:51:31 | 000,000,394 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B865B05B-D27E-44CB-BB53-551AF3161739}.job
[2011/08/04 09:34:21 | 000,012,626 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2011/08/04 09:34:02 | 000,272,073 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/08/04 09:33:45 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2011/08/04 09:33:43 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/04 09:33:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/08/04 09:13:35 | 004,163,947 | R--- | M] (Swearware) -- C:\Documents and Settings\august\Desktop\ComboFix.exe
[2011/08/04 09:12:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/04 06:03:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\HP Usg Daily.job
[2011/08/03 14:22:30 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/03 14:17:47 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/08/03 12:18:42 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\august\Desktop\MBR.dat
[2011/08/03 07:49:46 | 000,000,355 | RHS- | M] () -- C:\boot.ini
[2011/08/02 21:49:00 | 000,000,859 | ---- | M] () -- C:\WINDOWS\FOWin32.INI
[2011/08/01 21:54:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/07/31 16:48:23 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\august\defogger_reenable
[2011/07/30 18:22:19 | 000,568,328 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIP.DBF
[2011/07/30 18:19:52 | 000,827,423 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OUR FAMILY TREE july 2011.ZIP
[2011/07/30 17:58:33 | 000,047,112 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIM.DBF
[2011/07/30 16:28:35 | 000,043,520 | ---- | M] () -- C:\Documents and Settings\august\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/29 17:26:08 | 001,404,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\august\Desktop\TDSSKiller.exe
[2011/07/28 23:01:07 | 002,031,950 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIP.FPT
[2011/07/28 23:00:25 | 000,200,704 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIP.CDX
[2011/07/28 21:47:47 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/07/27 20:27:09 | 000,013,058 | -HS- | M] () -- C:\Documents and Settings\august\Local Settings\Application Data\2837452202
[2011/07/27 20:27:09 | 000,013,058 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2837452202
[2011/07/27 20:26:58 | 000,013,054 | -HS- | M] () -- C:\Documents and Settings\august\Local Settings\Application Data\y1bey2j6x1n8n3i061280ivc5rn3p1o6c4h5e147k467
[2011/07/27 20:26:58 | 000,013,054 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1202346271
[2011/07/27 20:26:49 | 000,013,066 | -HS- | M] () -- C:\Documents and Settings\august\Local Settings\Application Data\1202346271
[2011/07/27 20:26:27 | 000,013,396 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\y1bey2j6x1n8n3i061280ivc5rn3p1o6c4h5e147k467
[2011/07/26 21:51:24 | 000,354,458 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIE.DBF
[2011/07/26 21:51:24 | 000,216,064 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIE.CDX
[2011/07/26 21:51:24 | 000,031,200 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIE.FPT
[2011/07/26 04:53:28 | 000,066,809 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIL.DBF
[2011/07/26 04:53:28 | 000,058,880 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIL.CDX
[2011/07/26 04:47:53 | 000,014,750 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMII.FPT
[2011/07/26 04:47:53 | 000,007,482 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMII.DBF
[2011/07/26 04:47:53 | 000,004,608 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMII.CDX
[2011/07/26 04:40:18 | 000,040,837 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIK.DBF
[2011/07/26 04:40:18 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIK.CDX
[2011/07/26 04:39:17 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIM.CDX
[2011/07/26 04:39:17 | 000,019,212 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIC.DBF
[2011/07/26 04:39:17 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIC.CDX
[2011/07/23 17:24:37 | 000,014,000 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIC.FPT
[2011/07/23 17:17:10 | 000,043,850 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIS.FPT
[2011/07/23 17:17:10 | 000,007,533 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIS.DBF
[2011/07/23 16:50:36 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIS.CDX
[2011/07/23 00:50:59 | 000,012,564 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIT.DBF
[2011/07/23 00:50:59 | 000,008,192 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\OURFAMIT.CDX
[2011/07/22 14:52:33 | 001,935,676 | ---- | M] () -- C:\Documents and Settings\august\My Documents\2010-2011 property tax bill.pdf
[2011/07/22 12:30:45 | 000,505,120 | ---- | M] () -- C:\Documents and Settings\august\My Documents\Heirs of Henry Surber vs Barba.pdf
[2011/07/18 17:11:11 | 001,409,070 | ---- | M] () -- C:\Documents and Settings\august\My Documents\DC Airco 12V air conditioners.pdf
[2011/07/16 12:56:10 | 008,961,855 | ---- | M] () -- C:\Documents and Settings\august\My Documents\HepvoUSTechGuide.pdf
[2011/07/16 11:48:01 | 000,058,525 | ---- | M] () -- C:\Documents and Settings\august\My Documents\Jib Crane Drawing.pdf
[2011/07/14 10:12:46 | 000,000,695 | ---- | M] () -- C:\WINDOWS\nicheMANDELBROTsaver.ini
[2011/07/10 20:38:41 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/07/06 21:04:42 | 002,553,964 | ---- | M] () -- C:\Documents and Settings\august\My Documents\K4 Electrical Switch Catalog.pdf
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/05 14:07:43 | 000,095,028 | ---- | M] () -- C:\Documents and Settings\august\My Documents\AMTDcashprograms.pdf
[2011/07/05 14:05:27 | 000,229,189 | ---- | M] () -- C:\Documents and Settings\august\My Documents\AMTDhandbook.pdf
[2011/07/05 14:04:41 | 000,196,092 | ---- | M] () -- C:\Documents and Settings\august\My Documents\AMTD1938.pdf
[2011/07/05 14:03:23 | 000,203,861 | ---- | M] () -- C:\Documents and Settings\august\My Documents\AMTDagreement.pdf
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[23 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/03 14:22:30 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/03 07:49:46 | 000,000,239 | ---- | C] () -- C:\Boot.bak
[2011/08/03 07:49:39 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/08/03 07:46:41 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/08/03 07:46:41 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/08/03 07:46:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/08/03 07:46:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/08/03 07:46:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/01 18:57:27 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\august\Desktop\MBR.dat
[2011/07/31 16:48:23 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\august\defogger_reenable
[2011/07/28 21:47:47 | 000,002,315 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/07/28 21:47:47 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/07/27 19:36:31 | 000,013,066 | -HS- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\1202346271
[2011/07/27 19:36:30 | 000,013,058 | -HS- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\2837452202
[2011/07/27 19:36:30 | 000,013,058 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2837452202
[2011/07/27 19:36:30 | 000,013,054 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1202346271
[2011/07/27 19:36:28 | 000,013,054 | -HS- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\y1bey2j6x1n8n3i061280ivc5rn3p1o6c4h5e147k467
[2011/07/27 19:35:54 | 000,013,396 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\y1bey2j6x1n8n3i061280ivc5rn3p1o6c4h5e147k467
[2011/07/27 19:08:25 | 000,013,396 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\y1bey2j6x1n8n3i061280ivc5rn3p1o6c4h5e147k467
[2011/07/27 19:08:25 | 000,013,180 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\y1bey2j6x1n8n3i061280ivc5rn3p1o6c4h5e147k467
[2011/07/22 14:52:33 | 001,935,676 | ---- | C] () -- C:\Documents and Settings\august\My Documents\2010-2011 property tax bill.pdf
[2011/07/22 12:30:45 | 000,505,120 | ---- | C] () -- C:\Documents and Settings\august\My Documents\Heirs of Henry Surber vs Barba.pdf
[2011/07/18 17:11:11 | 001,409,070 | ---- | C] () -- C:\Documents and Settings\august\My Documents\DC Airco 12V air conditioners.pdf
[2011/07/16 12:56:08 | 008,961,855 | ---- | C] () -- C:\Documents and Settings\august\My Documents\HepvoUSTechGuide.pdf
[2011/07/16 11:48:01 | 000,058,525 | ---- | C] () -- C:\Documents and Settings\august\My Documents\Jib Crane Drawing.pdf
[2011/07/06 21:04:42 | 002,553,964 | ---- | C] () -- C:\Documents and Settings\august\My Documents\K4 Electrical Switch Catalog.pdf
[2011/07/05 14:07:43 | 000,095,028 | ---- | C] () -- C:\Documents and Settings\august\My Documents\AMTDcashprograms.pdf
[2011/07/05 14:05:27 | 000,229,189 | ---- | C] () -- C:\Documents and Settings\august\My Documents\AMTDhandbook.pdf
[2011/07/05 14:04:41 | 000,196,092 | ---- | C] () -- C:\Documents and Settings\august\My Documents\AMTD1938.pdf
[2011/07/05 14:03:23 | 000,203,861 | ---- | C] () -- C:\Documents and Settings\august\My Documents\AMTDagreement.pdf
[2011/06/18 10:46:53 | 000,001,280 | -HS- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\3wuvrq25xwx04txs364dyrguxuh
[2011/06/18 10:46:53 | 000,001,280 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3wuvrq25xwx04txs364dyrguxuh
[2011/06/04 19:43:52 | 000,001,734 | -HS- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\a235j1gci53xwt02h88xx11005868uctaw5im
[2011/06/04 19:43:52 | 000,001,734 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\a235j1gci53xwt02h88xx11005868uctaw5im
[2011/05/18 00:18:47 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17882916
[2011/05/17 10:21:53 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17948452
[2011/04/19 02:43:53 | 000,012,728 | -HS- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\1336883385
[2011/04/19 02:43:53 | 000,012,728 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1336883385
[2011/04/19 02:37:17 | 000,012,728 | -HS- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\4126442025
[2011/04/19 02:24:00 | 000,012,740 | -HS- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\utouhyrda4c0xq7180bsjqd608jeu33j12ra4
[2011/04/19 02:24:00 | 000,012,728 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4126442025
[2011/04/19 02:10:53 | 000,012,846 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\utouhyrda4c0xq7180bsjqd608jeu33j12ra4
[2011/04/19 02:10:53 | 000,012,740 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\utouhyrda4c0xq7180bsjqd608jeu33j12ra4
[2011/03/02 18:42:50 | 000,012,528 | -HS- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\669060650
[2011/03/02 18:42:50 | 000,012,528 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\669060650
[2011/02/04 16:51:14 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/04 12:13:23 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2010/06/04 12:12:53 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/04/03 22:55:32 | 002,183,470 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/11/12 21:46:24 | 000,000,073 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/11/12 21:45:32 | 000,000,960 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
[2009/11/11 22:54:00 | 000,004,940 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
[2009/05/11 12:55:37 | 000,000,695 | ---- | C] () -- C:\WINDOWS\nicheMANDELBROTsaver.ini
[2009/04/06 20:55:51 | 000,007,164 | ---- | C] () -- C:\WINDOWS\Perkins 1104D.ini
[2009/04/06 20:11:51 | 000,501,760 | ---- | C] () -- C:\WINDOWS\System32\Deutz Engine.exe
[2009/04/06 14:09:20 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2008/07/29 01:52:29 | 000,019,790 | ---- | C] () -- C:\WINDOWS\HPHins02.dat
[2008/07/29 01:52:29 | 000,004,284 | ---- | C] () -- C:\WINDOWS\hphmdl02.dat
[2008/07/29 01:51:54 | 000,364,544 | ---- | C] () -- C:\WINDOWS\System32\hphped05.exe
[2008/07/29 01:51:42 | 000,006,478 | ---- | C] () -- C:\WINDOWS\System32\hphmon05.dat
[2008/06/01 15:16:13 | 000,002,049 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/05/01 15:14:36 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/18 02:15:46 | 000,018,282 | ---- | C] () -- C:\WINDOWS\HPHins01.dat.temp
[2008/04/18 02:15:46 | 000,004,284 | ---- | C] () -- C:\WINDOWS\hphmdl01.dat.temp
[2008/04/07 21:18:35 | 000,000,412 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/12/21 04:47:33 | 000,046,128 | ---- | C] () -- C:\WINDOWS\System32\DLLPRF32.DAT
[2007/09/20 13:27:51 | 000,001,760 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/06/29 00:43:00 | 001,018,772 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2007/06/29 00:43:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/06/11 00:08:48 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\fusioncache.dat
[2007/01/27 17:50:28 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/01/15 13:20:54 | 000,005,656 | ---- | C] () -- C:\WINDOWS\VECalc.INI
[2006/07/22 22:45:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/07/07 19:42:56 | 000,000,859 | ---- | C] () -- C:\WINDOWS\FOWin32.INI
[2006/06/27 18:39:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\MX_SHARE.DAT
[2006/01/18 09:49:10 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\hkcmd.exe
[2006/01/18 09:49:09 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\igfxtray.exe
[2006/01/08 19:18:08 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/01/07 17:29:42 | 000,000,046 | ---- | C] () -- C:\WINDOWS\MXCDR.INI
[2006/01/02 18:45:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MovieEdit.INI
[2006/01/02 18:24:32 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2006/01/02 18:16:15 | 000,000,085 | ---- | C] () -- C:\WINDOWS\magix.ini
[2006/01/02 18:16:12 | 000,000,999 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2004/11/28 22:00:11 | 000,000,309 | ---- | C] () -- C:\WINDOWS\ahd4.ini
[2004/11/28 01:34:55 | 000,000,017 | ---- | C] () -- C:\WINDOWS\MovingPicture.ini
[2004/11/20 21:32:09 | 000,406,016 | ---- | C] () -- C:\WINDOWS\System32\PSDrvCheck.exe
[2004/11/20 21:28:35 | 000,000,063 | ---- | C] () -- C:\WINDOWS\PixieTool.INI
[2004/11/11 23:06:07 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
[2004/09/10 21:55:17 | 000,081,972 | ---- | C] () -- C:\WINDOWS\System32\zlib(2).dll
[2004/08/04 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/05/31 11:52:17 | 000,000,325 | ---- | C] () -- C:\WINDOWS\alchem.ini
[2004/03/18 09:44:29 | 001,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2004/02/29 19:19:23 | 000,043,520 | ---- | C] () -- C:\Documents and Settings\august\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/02/09 17:52:13 | 000,000,078 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2004/01/20 21:11:14 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2004/01/20 21:11:14 | 000,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2004/01/01 17:42:26 | 000,001,735 | ---- | C] () -- C:\WINDOWS\TCADWIN.INI
[2003/12/31 02:18:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Webspace.INI
[2003/10/31 10:03:55 | 000,000,635 | ---- | C] () -- C:\WINDOWS\rtcwgoty.INI
[2003/10/31 09:53:10 | 000,000,885 | ---- | C] () -- C:\WINDOWS\Rtcwplat.INI
[2003/10/14 15:36:50 | 000,000,030 | ---- | C] () -- C:\WINDOWS\TaskPanl.INI
[2003/07/27 09:32:48 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2003/06/21 13:17:26 | 000,000,081 | ---- | C] () -- C:\WINDOWS\CCSATLAS.INI
[2003/05/22 17:10:47 | 000,000,026 | ---- | C] () -- C:\WINDOWS\DfrgUIEx.INI
[2003/04/29 20:17:35 | 000,000,031 | ---- | C] () -- C:\WINDOWS\AUTHMGR.INI
[2003/04/26 00:04:47 | 000,000,810 | ---- | C] () -- C:\WINDOWS\Rtcw.INI
[2003/04/23 11:54:41 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/04/23 11:48:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2003/04/23 11:40:53 | 000,000,379 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2003/04/23 11:27:36 | 000,000,340 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2003/04/23 11:27:30 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2003/04/16 13:33:40 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/04/16 13:29:10 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2003/04/16 13:22:32 | 000,001,620 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/04/16 13:22:32 | 000,000,542 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/04/16 13:17:29 | 000,000,883 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/16 13:08:52 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2003/04/16 13:08:26 | 000,474,134 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2003/04/16 13:08:26 | 000,086,564 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2003/04/16 12:54:36 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/09/03 11:42:36 | 000,399,936 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 11:35:18 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 11:31:48 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/08/29 03:00:00 | 000,016,280 | ---- | C] () -- C:\WINDOWS\icetukopib.dll
[2002/08/29 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll
[2000/11/10 13:57:04 | 000,005,025 | ---- | C] () -- C:\WINDOWS\System32\patterns.dat
[1999/01/22 11:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/01/23 02:43:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2008/01/12 21:09:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/08/03 00:43:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EarthLink
[2011/08/03 07:56:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EarthLink Setup Files
[2009/11/12 21:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
[2004/11/20 21:10:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2010/12/23 16:10:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Playrix Entertainment
[2003/04/23 12:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2008/04/07 21:18:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/04/11 13:13:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2005/01/09 21:34:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2010/06/03 18:34:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/02/13 22:59:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Amazon
[2010/01/31 13:16:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\AnvSoft
[2009/11/11 22:39:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Blitware
[2008/04/07 21:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Canon
[2007/07/29 18:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Earthlink
[2005/10/16 21:12:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\EarthLink Toolbar
[2004/11/02 07:48:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\eGames
[2011/07/29 17:18:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\ElevatedDiagnostics
[2010/05/23 23:47:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\eMachineShop
[2010/04/14 01:34:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Facebook
[2004/01/03 12:05:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Jasc
[2008/01/12 19:30:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Leadertech
[2007/12/21 04:56:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Magix
[2010/01/22 17:38:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Multi File Downloader
[2006/08/05 23:52:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Opera
[2010/05/15 08:18:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\PGP
[2010/11/26 22:17:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Philipp Winterberg
[2008/04/07 21:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\ScanSoft
[2009/04/11 13:15:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\TaxCut
[2004/11/28 00:16:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Ulead Systems
[2007/05/05 00:09:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\Viewpoint
[2006/05/20 16:00:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\august\Application Data\WholeSecurity
[2011/08/04 09:51:31 | 000,000,394 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{B865B05B-D27E-44CB-BB53-551AF3161739}.job

========== Purity Check ==========



========== Custom Scans ==========


< dir "C:\Program Files" /A:H /S /C >
Volume in drive C has no label.
Volume Serial Number is F416-BF12
Directory of C:\PROGRAM FILES\Adobe\Reader 8.0\Resource\Linguistics\Providers\Proximity
09/29/2005 12:03 PM 294,912 usa86.lex
1 File(s) 294,912 bytes
Directory of C:\PROGRAM FILES\EarthLink 5.0
07/30/2011 11:36 AM 5,632 Thumbs.db
1 File(s) 5,632 bytes
Directory of C:\PROGRAM FILES\Mozilla Firefox\res
02/26/2011 12:24 PM 25,088 Thumbs.db
1 File(s) 25,088 bytes
Directory of C:\PROGRAM FILES\Mozilla Firefox\res\html
02/26/2011 12:24 PM 5,632 Thumbs.db
1 File(s) 5,632 bytes
Directory of C:\PROGRAM FILES\MSN
06/04/2010 05:57 PM <DIR> MSNCoreFiles
0 File(s) 0 bytes
Directory of C:\PROGRAM FILES\MSN\MSNCoreFiles
06/04/2010 05:57 PM <DIR> .
06/04/2010 05:57 PM <DIR> ..
0 File(s) 0 bytes
Directory of C:\PROGRAM FILES\Parsons Technology\Family Origins
05/22/2011 02:02 AM 6,144 Thumbs.db
1 File(s) 6,144 bytes
Directory of C:\PROGRAM FILES\QUICKENW
05/23/2011 07:56 PM 7,168 Thumbs.db
1 File(s) 7,168 bytes
Directory of C:\PROGRAM FILES\Spybot - Search & Destroy
11/04/2009 10:14 AM 1,168,216 advcheck.dll
01/26/2009 03:31 PM 5,365,592 SpybotSD.exe
2 File(s) 6,533,808 bytes
Total Files Listed:
8 File(s) 6,878,384 bytes
3 Dir(s) 14,501,376,000 bytes free

< End of report >






5. Content of report form ESET online scanner

C:\Documents and Settings\august\My Documents\Downloads\freeripmp3-setup.exe Win32/Adware.ADON application
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe Win32/Patched.HN trojan
C:\Program Files\Common Files\LightScribe\LSSrvc.exe Win32/Patched.HN trojan
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe Win32/Patched.HN trojan
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe Win32/Patched.HN trojan
C:\Program Files\Java\jre6\bin\jqs.exe Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Drop Down Deals\YontooIEClient.dll.vir Win32/Adware.Yontoo.A application
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gPsrqtwa.ini.vir Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\INF\alchem.inf probably a variant of Win32/Agent.GESWFOG trojan
C:\WINDOWS\SYSTEM32\HPZipm12.exe Win32/Patched.HN trojan
C:\WINDOWS\SYSTEM32\nvsvc32.exe Win32/Patched.HN trojan
Operating memory Win32/Patched.HN trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users