Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WindowsXP Dell Nasty Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 pandyfackler

pandyfackler

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:dark side of the moon
  • Local time:08:46 PM

Posted 01 August 2011 - 01:10 PM

Hello,
I have a Virus or malware or spyware, or something gone terribly wrong. Dell Windows Xp

I was able to run DDS just fine (and attached the first dds log.)
but gmer does the exact same thing as malwarebytes (and all other anti-virus programs) it starts, it runs, it detects a threat and then quickly closes.
When I try to open the program back up it says,
*windows could not specify device or path; or you may not have appropriate permissions to access this program*
I've tried changing the name downloading it onto a zip drive from my non infected computer and transferring it, I even spent three hours on the phone with a man from Microsoft security essentials who had remote control access and he couldn't help my problem either.

I also can not system restore past the date I think I was infected.
If there is any advice I would be very appreciative.
Thanks,
Kelsey

*another symptom is the redirecting of all my web browsers especially in google, prompting me to buy random and weird things or enter information.
If I load the browser twice it usually pulls up, but not automatically.






I don't know if my attachment worked so here is the dds log. the first one.



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Mikelle Duke at 10:43:14 on 2011-08-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.237 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DAEMON Tools Pro\DTAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com/home.php?ref=hp
uInternet Settings,ProxyOverride = *.local
BHO: Facetheme: {cbc5b60a-aa4d-45f6-84c2-d086f320299a} - c:\program files\object\bho_project.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [limewire plus+] "c:\program files\limewire plus+\limewire.exe" -h
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ISUSPM] c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\fefeed\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mikell~1\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\mikelle duke\local settings\temp\{de89cbe8-5c1d-4237-b480-2458bd8ffca3}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{33699D10-EACC-4EE2-B38A-CFFDB2257200} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mikelle duke\application data\mozilla\firefox\profiles\3sg6ir93.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
FF - component: c:\documents and settings\mikelle duke\application data\mozilla\firefox\profiles\3sg6ir93.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\mikelle duke\application data\mozilla\firefox\profiles\3sg6ir93.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nuance\pdf reader\bin\nppdf.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-7-5 233024]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsla0343f14;MpKsla0343f14;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d3e4182a-1292-4425-a972-4037a0d8cfec}\MpKsla0343f14.sys [2011-7-29 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-12 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R4 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-29 22712]
R4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-29 366640]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-29 41272]
S0 cerc6;cerc6; [x]
S1 MpKsl3b4d3763;MpKsl3b4d3763;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e39b2d07-32ee-4169-888b-289508f09b67}\mpksl3b4d3763.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e39b2d07-32ee-4169-888b-289508f09b67}\MpKsl3b4d3763.sys [?]
S1 MpKslac4ad29d;MpKslac4ad29d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{23a0255f-18df-4fae-94f1-ed4eba403de7}\mpkslac4ad29d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{23a0255f-18df-4fae-94f1-ed4eba403de7}\MpKslac4ad29d.sys [?]
S1 MpKslbd7582f4;MpKslbd7582f4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{aab27487-18a0-4d1e-a347-fc22a3e12fc3}\mpkslbd7582f4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{aab27487-18a0-4d1e-a347-fc22a3e12fc3}\MpKslbd7582f4.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-01 16:42:54 -------- d--h--w- c:\windows\PIF
2011-08-01 16:32:24 -------- d-----w- c:\program files\fefeed
2011-08-01 16:17:11 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-01 16:17:11 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-01 16:16:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-29 23:24:09 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-07-29 23:17:46 -------- d-----w- c:\documents and settings\mikelle duke\application data\Malwarebytes
2011-07-29 23:17:34 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-29 23:17:33 -------- dc----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-29 23:17:30 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-29 23:17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-29 23:10:43 -------- d-----w- c:\documents and settings\mikelle duke\application data\SUPERAntiSpyware.com
2011-07-29 22:44:15 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d3e4182a-1292-4425-a972-4037a0d8cfec}\MpKsla0343f14.sys
2011-07-29 22:44:04 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d3e4182a-1292-4425-a972-4037a0d8cfec}\mpengine.dll
2011-07-29 22:32:39 -------- d-----w- c:\program files\Microsoft Security Client
2011-07-29 22:17:04 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-07-29 22:16:55 -------- dc----w- c:\documents and settings\all users\application data\Applications
2011-07-29 04:42:24 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-07-29 03:49:52 -------- d-----w- c:\documents and settings\mikelle duke\application data\DriverCure
2011-07-29 03:49:51 -------- d-----w- c:\documents and settings\mikelle duke\application data\ParetoLogic
2011-07-29 03:49:39 -------- d-----w- c:\program files\common files\ParetoLogic
2011-07-29 03:49:36 -------- dc----w- c:\documents and settings\all users\application data\ParetoLogic
2011-07-29 03:49:36 -------- d-----w- c:\program files\ParetoLogic
2011-07-29 03:16:47 -------- d-----w- c:\documents and settings\mikelle duke\application data\NCH Software
2011-07-29 03:16:23 -------- d-----w- c:\program files\NCH Software
2011-07-26 22:28:32 -------- d-----w- c:\program files\iPod
2011-07-26 22:23:52 -------- d-----w- c:\program files\Bonjour
2011-07-26 03:44:36 -------- d-----w- c:\documents and settings\mikelle duke\application data\MilkShape 3D 1.x.x
2011-07-26 03:44:08 -------- d-----w- c:\program files\MilkShape 3D 1.8.5
2011-07-22 05:30:10 -------- d-----w- c:\documents and settings\mikelle duke\application data\Atari
2011-07-22 05:27:22 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-07-20 19:16:29 -------- d-----w- c:\program files\NVIDIA Corporation
2011-07-20 19:15:23 151552 ----a-w- c:\windows\system32\nvRegDev.dll
2011-07-20 19:15:04 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-07-20 19:15:03 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-07-20 19:15:03 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-07-20 19:15:03 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-07-20 19:15:03 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-07-20 19:14:59 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-07-20 19:14:57 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-07-20 18:49:20 667978 ----a-w- c:\windows\unins000.exe
2011-07-19 07:20:21 -------- d-----w- c:\program files\SimPE
2011-07-18 04:50:08 -------- d-----w- c:\documents and settings\mikelle duke\local settings\application data\Deployment
2011-07-18 04:46:21 -------- dc----w- c:\documents and settings\all users\application data\PC Drivers HeadQuarters
2011-07-18 04:27:31 -------- d-----w- c:\documents and settings\mikelle duke\application data\Systweak
2011-07-18 04:27:24 17280 ----a-w- c:\windows\system32\roboot.exe
2011-07-18 04:27:18 -------- d-----w- c:\program files\Object
2011-07-12 18:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 18:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 18:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 18:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-11 05:34:57 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-07-06 17:00:57 -------- d-----w- c:\documents and settings\mikelle duke\application data\Leawo
2011-07-06 17:00:38 -------- dc----w- c:\documents and settings\all users\application data\Leawo
2011-07-06 16:59:42 606208 ----a-w- c:\windows\system32\xvidcore.dll
2011-07-06 16:59:42 139264 ----a-w- c:\windows\system32\xvid.ax
2011-07-06 16:59:41 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-07-06 16:59:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-07-06 16:59:12 -------- d-----w- c:\program files\Leawo
2011-07-06 04:08:35 233024 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-07-06 04:08:16 -------- d-----w- c:\program files\DAEMON Tools Pro
2011-07-06 04:07:48 -------- dc----w- c:\documents and settings\all users\application data\DAEMON Tools Pro
2011-07-06 04:07:48 -------- d-----w- c:\documents and settings\mikelle duke\application data\DAEMON Tools Pro
2011-07-05 23:10:07 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-07-05 23:10:07 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-07-05 23:07:11 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-07-05 23:07:11 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-07-05 23:03:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-05 06:47:13 -------- d-----w- c:\program files\BitTorrent
2011-07-05 06:46:31 -------- d-----w- c:\documents and settings\mikelle duke\application data\BitTorrent
.
==================== Find3M ====================
.
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-04 11:52:22 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-05-04 09:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 10:43:54.71 ===============

Edited by pandyfackler, 01 August 2011 - 01:11 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 09 August 2011 - 09:30 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/412380 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 14 August 2011 - 09:35 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

#4 pandyfackler

pandyfackler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:dark side of the moon
  • Local time:08:46 PM

Posted 05 September 2011 - 02:39 PM

Here is the most recent DDS log..(not trying to bump just want the most accurate info so i can get help)
Will post Gmer log if requested or as soon as it's finished.
Thank you.








.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Mikelle Duke at 12:06:49 on 2011-09-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.475 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\MyDocumentss\mbamservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com/home.php?ref=hp
uInternet Settings,ProxyOverride = *.local
BHO: Facetheme: {cbc5b60a-aa4d-45f6-84c2-d086f320299a} - c:\program files\object\bho_project.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [limewire plus+] "c:\program files\limewire plus+\limewire.exe" -h
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ISUSPM] c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\mydocumentss\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\mikell~1\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\mikelle duke\local settings\temp\{de89cbe8-5c1d-4237-b480-2458bd8ffca3}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{33699D10-EACC-4EE2-B38A-CFFDB2257200} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mikelle duke\application data\mozilla\firefox\profiles\3sg6ir93.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - component: c:\documents and settings\mikelle duke\application data\mozilla\firefox\profiles\3sg6ir93.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\mikelle duke\application data\mozilla\firefox\profiles\3sg6ir93.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nuance\pdf reader\bin\nppdf.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2011-7-12 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-5-4 123264]
R2 MBAMService;MBAMService;c:\program files\mydocumentss\mbamservice.exe [2011-9-4 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-1 22712]
S0 cerc6;cerc6; [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys --> c:\windows\system32\drivers\dtsoftbus01.sys [?]
S1 MpKsl3b4d3763;MpKsl3b4d3763;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e39b2d07-32ee-4169-888b-289508f09b67}\mpksl3b4d3763.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e39b2d07-32ee-4169-888b-289508f09b67}\MpKsl3b4d3763.sys [?]
S1 MpKslac4ad29d;MpKslac4ad29d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{23a0255f-18df-4fae-94f1-ed4eba403de7}\mpkslac4ad29d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{23a0255f-18df-4fae-94f1-ed4eba403de7}\MpKslac4ad29d.sys [?]
S1 MpKslbd7582f4;MpKslbd7582f4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{aab27487-18a0-4d1e-a347-fc22a3e12fc3}\mpkslbd7582f4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{aab27487-18a0-4d1e-a347-fc22a3e12fc3}\MpKslbd7582f4.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-05 18:39:46 -------- d-----w- c:\program files\msn gaming zone
2011-09-05 04:16:13 -------- d-----w- c:\program files\MyDocumentss
2011-09-05 04:09:15 -------- dc----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-24 10:01:07 -------- d-----w- c:\documents and settings\mikelle duke\local settings\application data\PCHealth
2011-08-10 08:10:09 -------- d--h--w- c:\windows\$hf_mig$
.
==================== Find3M ====================
.
2011-09-05 04:19:14 50112 --sha-w- c:\windows\system32\c_56341.nl_
2011-09-05 04:18:50 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-11 03:00:58 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-10 05:22:49 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-07-22 05:27:22 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-07-20 19:14:56 151552 ----a-w- c:\windows\system32\nvRegDev.dll
2011-07-20 18:47:46 667978 ----a-w- c:\windows\unins000.exe
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 18:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 18:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 18:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 18:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-11 05:34:58 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 20:26:14 17280 ----a-w- c:\windows\system32\roboot.exe
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 12:07:25.51 ===============

#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:46 AM

Posted 06 September 2011 - 07:06 AM

Hello Kelsey and welcome to BC . :)


Will post Gmer log if requested or as soon as it's finished.

Please post the GMER log if you have it.



====================================


:step1: Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.



:step2: Download OTL by OldTimer from one of the links below:

Link 1
Link 2

  • Save it to your desktop.
  • Close all open windows on the Task Bar.
  • Double click the OTL icon to run the program (run as Administrator for Windows Vista/7).
  • Put a check mark on Scan All Users.
  • Click the Run Scan button and let it run uninterrupted.
  • It will create two reports namely OTL.txt (will be opened) and Extras.txt (will be minimized).
  • Post the contents of both reports when you reply.
  • Exit OTL.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 pandyfackler

pandyfackler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:dark side of the moon
  • Local time:08:46 PM

Posted 06 September 2011 - 07:08 PM

TDSSKiller log:

2011/09/06 15:55:24.0203 2600 TDSS rootkit removing tool 2.5.19.0 Sep 6 2011 19:23:56
2011/09/06 15:55:24.0843 2600 ================================================================================
2011/09/06 15:55:24.0843 2600 SystemInfo:
2011/09/06 15:55:24.0843 2600
2011/09/06 15:55:24.0843 2600 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/06 15:55:24.0843 2600 Product type: Workstation
2011/09/06 15:55:24.0843 2600 ComputerName: MIKELLE-PC
2011/09/06 15:55:24.0843 2600 UserName: Mikelle Duke
2011/09/06 15:55:24.0843 2600 Windows directory: C:\WINDOWS
2011/09/06 15:55:24.0843 2600 System windows directory: C:\WINDOWS
2011/09/06 15:55:24.0843 2600 Processor architecture: Intel x86
2011/09/06 15:55:24.0843 2600 Number of processors: 2
2011/09/06 15:55:24.0843 2600 Page size: 0x1000
2011/09/06 15:55:24.0843 2600 Boot type: Normal boot
2011/09/06 15:55:24.0843 2600 ================================================================================
2011/09/06 15:55:26.0843 2600 Initialize success
2011/09/06 15:55:28.0437 2620 ================================================================================
2011/09/06 15:55:28.0437 2620 Scan started
2011/09/06 15:55:28.0437 2620 Mode: Manual;
2011/09/06 15:55:28.0437 2620 ================================================================================
2011/09/06 15:55:29.0906 2620 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/06 15:55:30.0000 2620 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/06 15:55:30.0359 2620 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/06 15:55:30.0515 2620 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/06 15:55:31.0296 2620 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/06 15:55:31.0421 2620 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/06 15:55:31.0843 2620 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/06 15:55:32.0234 2620 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/06 15:55:32.0562 2620 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/06 15:55:32.0671 2620 c7d8655a (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\1516624071:942119589.exe
2011/09/06 15:55:32.0718 2620 Suspicious file (Hidden): C:\WINDOWS\1516624071:942119589.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
2011/09/06 15:55:32.0718 2620 c7d8655a - detected HiddenFile.Multi.Generic (1)
2011/09/06 15:55:33.0187 2620 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/06 15:55:33.0890 2620 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/06 15:55:34.0046 2620 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/06 15:55:34.0218 2620 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/06 15:55:34.0718 2620 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
2011/09/06 15:55:34.0984 2620 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/06 15:55:35.0250 2620 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/06 15:55:35.0796 2620 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/06 15:55:36.0125 2620 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/06 15:55:36.0625 2620 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/06 15:55:37.0265 2620 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/06 15:55:38.0390 2620 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/09/06 15:55:38.0984 2620 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/06 15:55:39.0359 2620 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/06 15:55:39.0953 2620 Fips (a4ecc381db09dcfe4fe2cbb9b2af6e69) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/06 15:55:39.0953 2620 Suspicious file (Forged): C:\WINDOWS\system32\drivers\Fips.sys. Real md5: a4ecc381db09dcfe4fe2cbb9b2af6e69, Fake md5: d45926117eb9fa946a6af572fbe1caa3
2011/09/06 15:55:39.0953 2620 Fips - detected Rootkit.Win32.ZAccess.e (0)
2011/09/06 15:55:40.0375 2620 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/06 15:55:40.0843 2620 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/06 15:55:41.0281 2620 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/06 15:55:41.0828 2620 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/06 15:55:42.0390 2620 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/09/06 15:55:42.0859 2620 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/06 15:55:43.0375 2620 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/06 15:55:44.0296 2620 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/06 15:55:45.0515 2620 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/06 15:55:46.0515 2620 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/06 15:55:47.0031 2620 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/06 15:55:47.0687 2620 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/06 15:55:47.0984 2620 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/06 15:55:48.0265 2620 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/06 15:55:48.0562 2620 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/06 15:55:49.0078 2620 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/06 15:55:49.0656 2620 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/06 15:55:50.0031 2620 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/06 15:55:50.0453 2620 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/06 15:55:50.0859 2620 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/06 15:55:51.0437 2620 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/06 15:55:51.0953 2620 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/06 15:55:52.0578 2620 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/06 15:55:53.0203 2620 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/06 15:55:53.0843 2620 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
2011/09/06 15:55:54.0265 2620 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/06 15:55:54.0875 2620 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/06 15:55:55.0265 2620 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/06 15:55:55.0718 2620 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/06 15:55:56.0312 2620 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/06 15:55:56.0828 2620 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/09/06 15:55:58.0515 2620 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/06 15:55:59.0015 2620 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/06 15:55:59.0453 2620 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/06 15:56:00.0031 2620 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/06 15:56:00.0546 2620 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/06 15:56:00.0906 2620 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/06 15:56:01.0421 2620 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/06 15:56:01.0921 2620 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/06 15:56:02.0421 2620 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/06 15:56:02.0796 2620 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/06 15:56:03.0093 2620 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/06 15:56:03.0593 2620 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/06 15:56:04.0234 2620 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/06 15:56:04.0718 2620 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/06 15:56:05.0109 2620 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/06 15:56:05.0437 2620 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/06 15:56:05.0890 2620 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/06 15:56:06.0234 2620 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/06 15:56:06.0515 2620 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/06 15:56:06.0828 2620 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/06 15:56:07.0156 2620 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/06 15:56:07.0468 2620 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/06 15:56:07.0765 2620 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/06 15:56:08.0046 2620 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/06 15:56:08.0578 2620 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/09/06 15:56:09.0046 2620 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/06 15:56:11.0859 2620 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/06 15:56:12.0171 2620 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/06 15:56:12.0484 2620 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/06 15:56:14.0031 2620 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/06 15:56:14.0468 2620 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/06 15:56:14.0906 2620 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/06 15:56:15.0281 2620 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/06 15:56:15.0687 2620 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/06 15:56:21.0359 2620 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/06 15:56:21.0984 2620 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/06 15:56:22.0921 2620 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/06 15:56:23.0546 2620 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/06 15:56:24.0250 2620 s616bus (ef4b5a8d53f15cb269469dd4e4bb0109) C:\WINDOWS\system32\DRIVERS\s616bus.sys
2011/09/06 15:56:25.0031 2620 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/06 15:56:25.0359 2620 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/09/06 15:56:26.0015 2620 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/06 15:56:26.0953 2620 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/09/06 15:56:28.0031 2620 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/06 15:56:28.0765 2620 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/06 15:56:29.0718 2620 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/06 15:56:31.0296 2620 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/09/06 15:56:31.0515 2620 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/06 15:56:31.0921 2620 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/06 15:56:33.0375 2620 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/06 15:56:34.0078 2620 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/06 15:56:34.0687 2620 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/06 15:56:36.0203 2620 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/06 15:56:37.0375 2620 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/06 15:56:37.0828 2620 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/06 15:56:38.0375 2620 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/06 15:56:38.0953 2620 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/06 15:56:40.0140 2620 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/06 15:56:42.0109 2620 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/06 15:56:42.0859 2620 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/06 15:56:43.0281 2620 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/06 15:56:46.0750 2620 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/06 15:56:46.0906 2620 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/06 15:56:47.0031 2620 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/06 15:56:47.0296 2620 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/06 15:56:47.0406 2620 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/06 15:56:47.0515 2620 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/06 15:56:47.0906 2620 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/06 15:56:48.0312 2620 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/06 15:56:48.0531 2620 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/06 15:56:48.0734 2620 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/06 15:56:48.0781 2620 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/06 15:56:48.0921 2620 Boot (0x1200) (9f92b16c5adc8737b9942f62c78f3c8b) \Device\Harddisk0\DR0\Partition0
2011/09/06 15:56:48.0921 2620 ================================================================================
2011/09/06 15:56:48.0921 2620 Scan finished
2011/09/06 15:56:48.0921 2620 ================================================================================
2011/09/06 15:56:48.0921 1920 Detected object count: 2
2011/09/06 15:56:48.0921 1920 Actual detected object count: 2
2011/09/06 15:57:18.0671 1920 HiddenFile.Multi.Generic(c7d8655a) - User select action: Skip
2011/09/06 15:57:18.0671 1920 Rootkit.Win32.ZAccess.e(Fips) - User select action: Skip
2011/09/06 15:58:18.0296 4076 Deinitialize success




OTL log


OTL logfile created on: 9/6/2011 4:00:04 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\Mikelle Duke\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.98 Mb Total Physical Memory | 424.27 Mb Available Physical Memory | 41.80% Memory free
2.39 Gb Paging File | 1.96 Gb Available in Paging File | 81.94% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.48 Gb Total Space | 24.28 Gb Free Space | 21.21% Space Free | Partition Type: NTFS

Computer Name: MIKELLE-PC | User Name: Mikelle Duke | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\1516624071:942119589.exe
PRC - [2011/09/06 15:59:11 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mikelle Duke\My Documents\Downloads\OTL.exe
PRC - [2011/09/04 18:31:42 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/05 21:21:10 | 000,123,264 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
PRC - [2011/07/16 22:21:04 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Mikelle Duke\Desktop\gmer.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2008/04/13 16:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/04 18:31:41 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/07/16 22:21:04 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Mikelle Duke\Desktop\gmer.exe
MOD - [2011/05/26 13:42:00 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2008/06/20 09:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/08/05 21:21:10 | 000,123,264 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/07/06 19:52:38 | 000,366,640 | ---- | M] () [Auto | Stopped] -- C:\Program Files\MyDocumentss\mbamservice.exe -- (MBAMService)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] () [Auto | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/08/05 21:19:57 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2011/07/12 14:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/12/18 12:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2007/04/03 14:59:30 | 000,083,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616bus.sys -- (s616bus) Sony Ericsson Device 616 driver (WDM)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1614895754-725345543-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php?ref=hp
IE - HKU\S-1-5-21-1614895754-725345543-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1614895754-725345543-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=BABTDF&PC=BBLN&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.7.1.3
FF - prefs.js..extensions.enabledItems: {afe43e80-0abc-4df2-81a0-3fe44b74abe8}:1.300.346
FF - prefs.js..extensions.enabledItems: paffxtbr@FilmFanatic.com:1.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {398726BF-8F27-4BE9-9302-2C7CF6E3DC42}:1.9.1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{398726BF-8F27-4BE9-9302-2C7CF6E3DC42}: C:\Documents and Settings\Mikelle Duke\Local Settings\Application Data\{398726BF-8F27-4BE9-9302-2C7CF6E3DC42}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{EB132DB0-A4CA-11DF-9732-0E29E0D72085}: C:\Program Files\Object\facetheme [2011/07/17 21:27:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/04 20:41:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/22 11:40:55 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{EB132DB0-A4CA-11DF-9732-0E29E0D72085}: C:\Program Files\Object\facetheme [2011/07/17 21:27:19 | 000,000,000 | ---D | M]

[2010/11/10 10:29:36 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mikelle Duke\Application Data\Mozilla\Extensions
[2011/09/04 19:57:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mikelle Duke\Application Data\Mozilla\Firefox\Profiles\3sg6ir93.default\extensions
[2010/11/25 15:27:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Mikelle Duke\Application Data\Mozilla\Firefox\Profiles\3sg6ir93.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/08/21 15:50:38 | 000,000,000 | ---D | M] (Zynga Community Toolbar) -- C:\Documents and Settings\Mikelle Duke\Application Data\Mozilla\Firefox\Profiles\3sg6ir93.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2010/11/23 17:14:14 | 000,001,832 | ---- | M] () -- C:\Documents and Settings\Mikelle Duke\Application Data\Mozilla\Firefox\Profiles\3sg6ir93.default\searchplugins\bing.xml
[2010/12/23 22:42:58 | 000,001,742 | ---- | M] () -- C:\Documents and Settings\Mikelle Duke\Application Data\Mozilla\Firefox\Profiles\3sg6ir93.default\searchplugins\search-the-web.xml
[2011/07/22 11:35:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/15 02:51:21 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/23 13:39:06 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/07/22 11:35:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MIKELLE DUKE\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\3SG6IR93.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
[2010/11/15 02:51:07 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/09/04 18:31:42 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/05/22 11:40:46 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2008/04/13 16:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Facetheme) - {cbc5b60a-aa4d-45f6-84c2-d086f320299a} - C:\Program Files\Object\bho_project.dll (InternetEngine)
O3 - HKU\S-1-5-21-1614895754-725345543-1644491937-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\MyDocumentss\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1614895754-725345543-1644491937-1003..\Run: [DW6] File not found
O4 - HKU\S-1-5-21-1614895754-725345543-1644491937-1003..\Run: [EA Core] File not found
O4 - HKU\S-1-5-21-1614895754-725345543-1644491937-1003..\Run: [ISUSPM] File not found
O4 - HKU\S-1-5-21-1614895754-725345543-1644491937-1003..\Run: [limewire plus+] File not found
O4 - HKU\S-1-5-21-1614895754-725345543-1644491937-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE ()
O4 - Startup: C:\Documents and Settings\Mikelle Duke\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1614895754-725345543-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{33699D10-EACC-4EE2-B38A-CFFDB2257200}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Mikelle Duke\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Mikelle Duke\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/11/10 10:04:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{45634af6-fab6-11df-afe7-000cf1e01320}\Shell - "" = AutoRun
O33 - MountPoints2\{45634af6-fab6-11df-afe7-000cf1e01320}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{45634af6-fab6-11df-afe7-000cf1e01320}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{9e022dde-ecee-11df-afdb-eb09dcddffb8}\Shell - "" = AutoRun
O33 - MountPoints2\{9e022dde-ecee-11df-afdb-eb09dcddffb8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9e022dde-ecee-11df-afdb-eb09dcddffb8}\Shell\AutoRun\command - "" = F:\IronKey.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/06 15:55:02 | 000,000,000 | ---D | C] -- C:\tdsskiller
[2011/09/05 11:39:46 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2011/09/04 21:16:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\firefox.exe
[2011/09/04 21:16:13 | 000,000,000 | ---D | C] -- C:\Program Files\MyDocumentss
[2011/09/04 21:09:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\explore.exe
[2011/09/04 21:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/04 18:42:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mikelle Duke\My Documents\NES
[2011/08/29 17:10:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mikelle Duke\My Documents\gegl-0.0
[2011/08/24 03:01:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mikelle Duke\Local Settings\Application Data\PCHealth
[2011/08/21 15:55:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mikelle Duke\My Documents\iPod_Control
[2011/08/11 20:31:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Paros
[2011/08/10 01:10:09 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/06 16:03:08 | 000,000,390 | -H-- | M] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2011/09/06 14:19:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/06 03:16:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/06 03:16:23 | 000,000,000 | ---- | M] () -- C:\WINDOWS\1516624071
[2011/09/06 03:16:22 | 000,050,112 | -HS- | M] () -- C:\WINDOWS\System32\c_56341.nl_
[2011/09/06 03:16:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/04 21:09:16 | 000,000,686 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\explorer.exe.lnk
[2011/09/04 02:12:00 | 000,000,372 | ---- | M] () -- C:\WINDOWS\tasks\PC Health Advisor.job
[2011/09/04 02:07:01 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/09/02 09:49:05 | 000,022,296 | ---- | M] () -- C:\Documents and Settings\Mikelle Duke\.recently-used.xbel
[2011/09/02 02:12:00 | 000,000,390 | ---- | M] () -- C:\WINDOWS\tasks\PC Health Advisor Defrag.job
[2011/08/29 17:10:12 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk
[2011/08/14 22:48:33 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\Mikelle Duke\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/11 20:31:37 | 000,001,347 | ---- | M] () -- C:\Documents and Settings\Mikelle Duke\Desktop\Paros 3.2.13.lnk
[2011/08/10 20:00:58 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/10 03:16:36 | 000,493,950 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/08/10 03:16:36 | 000,084,494 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/08/10 03:11:06 | 052,390,856 | ---- | M] () -- C:\WINDOWS\System32\MRT.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/04 21:09:16 | 000,000,686 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\explorer.exe.lnk
[2011/09/02 09:49:05 | 000,022,296 | ---- | C] () -- C:\Documents and Settings\Mikelle Duke\.recently-used.xbel
[2011/08/29 17:10:12 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk
[2011/08/11 20:31:37 | 000,001,347 | ---- | C] () -- C:\Documents and Settings\Mikelle Duke\Desktop\Paros 3.2.13.lnk
[2011/08/10 20:04:15 | 001,404,208 | ---- | C] () -- C:\Documents and Settings\Mikelle Duke\My Documents\TDSSKiller.exe
[2011/08/10 20:00:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\1516624071
[2011/07/25 23:17:05 | 000,000,016 | RH-- | C] () -- C:\Documents and Settings\Mikelle Duke\Local Settings\Application Data\40627A08.ini
[2011/07/21 22:27:22 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2011/07/20 12:15:23 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\nvRegDev.dll
[2011/07/20 11:49:20 | 000,667,978 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2011/07/20 11:49:20 | 000,006,481 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2011/07/06 09:44:08 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\Mikelle Duke\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/28 14:39:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/03 23:25:13 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Jtigiwoluwaru.dat
[2011/04/03 23:25:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Tzazewe.bin
[2010/11/27 23:40:12 | 000,014,012 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/11/17 00:34:35 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/11/10 10:52:19 | 052,390,856 | ---- | C] () -- C:\WINDOWS\System32\MRT.exe
[2010/11/10 10:22:46 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2010/11/10 10:07:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/11/10 10:00:57 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/11/09 08:31:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/11/09 08:30:14 | 000,104,624 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/13 16:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/13 16:00:00 | 000,493,950 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/13 16:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/13 16:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/13 16:00:00 | 000,084,494 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/13 16:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/13 16:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/13 16:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/13 16:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/13 16:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/04/14 20:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/04/14 20:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\1516624071:942119589.exe

< End of report >


OTL EXTRAS LOG

OTL Extras logfile created on: 9/6/2011 4:00:04 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\Mikelle Duke\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.98 Mb Total Physical Memory | 424.27 Mb Available Physical Memory | 41.80% Memory free
2.39 Gb Paging File | 1.96 Gb Available in Paging File | 81.94% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.48 Gb Total Space | 24.28 Gb Free Space | 21.21% Space Free | Partition Type: NTFS

Computer Name: MIKELLE-PC | User Name: Mikelle Duke | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1614895754-725345543-1644491937-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- C:\Program Files\ParetoLogic\PCHA\noapp.exe %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Mikelle Duke\Local Settings\Temp\uninst.exe" = C:\Documents and Settings\Mikelle Duke\Local Settings\Temp\uninst.exe:*:Disabled:MixPad Audio Mixer
"C:\FarmVilleBot_2.1.2\farmvillebot.exe" = C:\FarmVilleBot_2.1.2\farmvillebot.exe:*:Disabled:farmvillebot
"C:\Program Files\FrontierVilleBot\FRVBot.exe" = C:\Program Files\FrontierVilleBot\FRVBot.exe:*:Disabled:FRVBot
"C:\Program Files\Limewire Plus+\limewire.exe" = C:\Program Files\Limewire Plus+\limewire.exe:*:Disabled:LimeWire p2p for windows
"C:\Program Files\Electronic Arts\The Sims 3\Game\Bin\TS3W.exe" = C:\Program Files\Electronic Arts\The Sims 3\Game\Bin\TS3W.exe:*:Disabled:Sims 3
"C:\Program Files\Electronic Arts\The Sims 3\Game\Bin\TS3.exe" = C:\Program Files\Electronic Arts\The Sims 3\Game\Bin\TS3.exe:*:Disabled:Sims 3
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Disabled:Skype Extras Manager
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\ParetoLogic\PCHA\PCHA.exe" = C:\Program Files\ParetoLogic\PCHA\PCHA.exe:*:Disabled:ParetoLogic PC Health Advisor
"C:\Documents and Settings\Mikelle Duke\Desktop\Sims2Launcher.exe" = C:\Documents and Settings\Mikelle Duke\Desktop\Sims2Launcher.exe:*:Enabled:The Sims 2 Launcher -- (Electronic Arts)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Microsoft Easy Assist\Console\8.1.6416.0\SupportConsole.exe" = C:\Program Files\Microsoft Easy Assist\Console\8.1.6416.0\SupportConsole.exe:*:Enabled:Microsoft Easy Assist -- (Microsoft Corporation)
"C:\WINDOWS\system32\WgaTray.exe" = C:\WINDOWS\system32\WgaTray.exe:*:Enabled:Windows Genuine Advantage Notifications -- (Microsoft Corporation)
"C:\WINDOWS\system32\dwwin.exe" = C:\WINDOWS\system32\dwwin.exe:*:Enabled:Microsoft Application Error Reporting -- (Microsoft Corporation)
"C:\Program Files\Microsoft Security Client\msseces.exe" = C:\Program Files\Microsoft Security Client\msseces.exe:*:Enabled:Microsoft Security Essentials -- (Microsoft Corporation)
"C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Paros\IEEmbed.exe" = C:\Program Files\Paros\IEEmbed.exe:*:Enabled:JDesktop Integration Components binary
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\system32\Macromed\Flash\FlashUtil10t_Plugin.exe" = C:\WINDOWS\system32\Macromed\Flash\FlashUtil10t_Plugin.exe:*:Enabled:Adobe® Flash® Player Installer/Uninstaller 10.3 r181
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Disabled:EA Download Manager
"C:\Program Files\Malwarebytes\mbam.exe" = C:\Program Files\Malwarebytes\mbam.exe:*:Disabled:Malwarebytes' Anti-Malware -- ()
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Disabled:Malwarebytes' Anti-Malware
"C:\Program Files\fefeed\mbam.exe" = C:\Program Files\fefeed\mbam.exe:*:Disabled:Malwarebytes' Anti-Malware
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe:*:Disabled:SUPERAntiSpyware Application -- ()
"C:\Program Files\SUPERAntiSpyware\SSUpdate.exe" = C:\Program Files\SUPERAntiSpyware\SSUpdate.exe:*:Disabled:SUPERAntiSpyware Update Application -- (SUPERAntiSpyware.com)
"C:\Documents and Settings\Mikelle Duke\Local Settings\Temp\SSUPDATE.EXE" = C:\Documents and Settings\Mikelle Duke\Local Settings\Temp\SSUPDATE.EXE:*:Disabled:SUPERAntiSpyware Update Application
"C:\Documents and Settings\Mikelle Duke\My Documents\TDSSKiller.exe" = C:\Documents and Settings\Mikelle Duke\My Documents\TDSSKiller.exe:*:Disabled:TDSS rootkit removing tool -- ()
"C:\Documents and Settings\Mikelle Duke\Desktop\TDSSKiller.exe" = C:\Documents and Settings\Mikelle Duke\Desktop\TDSSKiller.exe:*:Disabled:TDSS rootkit removing tool -- ()
"C:\Program Files\BitTorrent\BitTorrent.exe" = C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent
"C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for tdsskiller.zip\TDSSKiller.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for tdsskiller.zip\TDSSKiller.exe:*:Enabled:TDSS rootkit removing tool -- (Kaspersky Lab ZAO)
"C:\Program Files\MyDocumentss\mbam.exe" = C:\Program Files\MyDocumentss\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- ()
"C:\tdsskiller\TDSSKiller.exe" = C:\tdsskiller\TDSSKiller.exe:*:Enabled:TDSS rootkit removing tool -- (Kaspersky Lab ZAO)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{1A2A15C2-6780-49c1-B296-503230E9DE00}" = The Sims™ 2 Mansion and Garden Stuff
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 26
"{326957C7-83FD-4550-A59A-849B7B4297DE}" = Microsoft Easy Assist v2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4817189D-1785-4627-A33C-39FD90919300}" = The Sims 2 Pets
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B4E8814-F682-4197-8F4B-E9FFC6F08977}" = System Requirements Lab for Intel
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5C648FDB-0138-4619-B66E-230EF53E8E2C}" = The Sims™ 2 Teen Style Stuff
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{64963F0E-03F2-4B59-8D1B-1806545E7092}" = NVIDIA DDS Utilities
"{6522C636-B04C-4333-9BEB-9E0C0B6350D6}" = The Sims™ 2 Kitchen & Bath Interior Design Stuff
"{6BDD9CE6-D0A6-478A-BAD3-BA6945E89EB0}" = The Sims 2 Family Fun Stuff
"{6E17F9751-F056-4335-B718-8AF1B1092AFB}" = The Sims™ 2 IKEA® Home Stuff
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{779DECD7-E072-4B56-9B6B-BEB5973EEEB5}" = MobileMe Control Panel
"{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = The Sims 2 Open For Business
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84DDE556-43EF-43ed-B2DF-37AF9E5DDD75}" = The Sims™ 2 H&M® Fashion Stuff
"{87F6C83D-F949-4d14-B5CB-DC8C75F8932D}" = The Sims™ 2 FreeTime
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8AB8D458-939E-403F-0097-9BA1C1F013D5}" = The Sims 2
"{8FD3F4BA-A4A6-4380-00A6-CC6853AB2DC2}" = The Sims 2 University
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CDBC303-3EED-40b0-8E41-A7C65AA96C26}" = The Sims 2 Glamour Life Stuff
"{9E1BAB75-EB78-440D-94C0-A3857BE2E733}" = System Requirements Lab
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AAF4238F-7C29-451D-9925-C753271A5728}" = Microsoft Visual C++ Run Time Lib Setup
"{B1899CD8-9584-4DC5-00AE-48F47CF81183}" = The Sims 2 HomeCrafter Plus
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B6F5B704-06D3-4687-90F3-6195304AD755}" = The Sims™ 2 Apartment Life
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{C73CA646-73B3-4AEF-A136-C37505745174}" = iTunes
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}" = The Sims 2 Seasons
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EAA38532-7AD0-4f78-918A-4F4F02096ECE}" = The Sims™ 2 Celebration! Stuff
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F248ADFA-64E0-4b03-8A83-059078BED6A0}" = The Sims™ 2 Bon Voyage
"{F7529650-B9DB-481B-0089-A2AC3C2821C1}" = The Sims 2 Nightlife
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CEP - Colour Enable Packages_is1" = CEP (Color Enable Package) v.9.2 (beta)
"DAEMON Tools Pro" = DAEMON Tools Pro
"EADM" = EA Download Manager
"facetheme" = Facetheme
"Game Maker 8.0" = Game Maker 8.0
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"MilkShape 3D 1.8.5" = MilkShape 3D 1.8.5
"Mozilla Firefox 6.0.1 (x86 en-US)" = Mozilla Firefox 6.0.1 (x86 en-US)
"Paros_is1" = Paros 3.2.13
"PROSet" = Intel® PRO Network Adapters and Drivers
"SimPE PhotoStudio Templates_is1" = SimPE PhotoStudio Templates 3.0
"SimPE_is1" = SimPE 0.72 (alpha)
"Sims2Pack Clean Installer" = Sims2Pack Clean Installer
"SystemRequirementsLab" = System Requirements Lab
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1614895754-725345543-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/24/2011 6:00:21 AM | Computer Name = MIKELLE-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 2152759308, P2 unspecified, P3 scanfile,
P4 2.1.6805.0, P5 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 5/27/2011 1:59:56 AM | Computer Name = MIKELLE-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 2152759308, P2 unspecified, P3 scanfile,
P4 2.1.6805.0, P5 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 5/27/2011 1:40:29 PM | Computer Name = MIKELLE-PC | Source = Application Error | ID = 1000
Description = Faulting application frvbot.exe, version 0.0.0.0, faulting module
flash10l.ocx, version 10.1.102.64, fault address 0x0037f6f1.

Error - 6/27/2011 2:22:29 AM | Computer Name = MIKELLE-PC | Source = MsiInstaller | ID = 1013
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 -- Microsoft
.NET Framework 2.0 Service Pack 2 cannot be uninstalled because it will affect other
applications that are installed. For more information, see http://go.microsoft.com/fwlink/?LinkId=91126.

Error - 6/28/2011 4:39:28 PM | Computer Name = MIKELLE-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 2152759308, P2 unspecified, P3 scanfile,
P4 2.1.6805.0, P5 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 6/28/2011 5:06:55 PM | Computer Name = MIKELLE-PC | Source = Application Hang | ID = 1002
Description = Hanging application AutoRun.exe, version 1.4.0.356, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/28/2011 5:24:40 PM | Computer Name = MIKELLE-PC | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown

Error - 6/28/2011 5:35:24 PM | Computer Name = MIKELLE-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 2152759308, P2 unspecified, P3 scanfile,
P4 2.1.6805.0, P5 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 6/28/2011 7:20:58 PM | Computer Name = MIKELLE-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 3.0.8107.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 6/28/2011 10:59:14 PM | Computer Name = MIKELLE-PC | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 9/5/2011 2:39:50 PM | Computer Name = MIKELLE-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%2

Error - 9/5/2011 2:41:16 PM | Computer Name = MIKELLE-PC | Source = DCOM | ID = 10024
Description = The machine wide group policy Access Limits security descriptor is
invalid. The security descriptor is defined as an invalid Security Descriptor Definitions
Language (SDDL) string. The requested action was therefore not performed. Please
contact your administrator to get the security descriptor corrected in the Group
Policy settings.

Error - 9/5/2011 2:41:16 PM | Computer Name = MIKELLE-PC | Source = DCOM | ID = 10024
Description = The machine wide group policy Access Limits security descriptor is
invalid. The security descriptor is defined as an invalid Security Descriptor Definitions
Language (SDDL) string. The requested action was therefore not performed. Please
contact your administrator to get the security descriptor corrected in the Group
Policy settings.

Error - 9/5/2011 2:41:56 PM | Computer Name = MIKELLE-PC | Source = DCOM | ID = 10024
Description = The machine wide group policy Access Limits security descriptor is
invalid. The security descriptor is defined as an invalid Security Descriptor Definitions
Language (SDDL) string. The requested action was therefore not performed. Please
contact your administrator to get the security descriptor corrected in the Group
Policy settings.

Error - 9/6/2011 6:16:26 AM | Computer Name = MIKELLE-PC | Source = Service Control Manager | ID = 7000
Description = The Microsoft Antimalware Service service failed to start due to the
following error: %%5

Error - 9/6/2011 6:17:49 AM | Computer Name = MIKELLE-PC | Source = DCOM | ID = 10024
Description = The machine wide group policy Access Limits security descriptor is
invalid. The security descriptor is defined as an invalid Security Descriptor Definitions
Language (SDDL) string. The requested action was therefore not performed. Please
contact your administrator to get the security descriptor corrected in the Group
Policy settings.

Error - 9/6/2011 6:18:29 AM | Computer Name = MIKELLE-PC | Source = DCOM | ID = 10024
Description = The machine wide group policy Access Limits security descriptor is
invalid. The security descriptor is defined as an invalid Security Descriptor Definitions
Language (SDDL) string. The requested action was therefore not performed. Please
contact your administrator to get the security descriptor corrected in the Group
Policy settings.

Error - 9/6/2011 6:55:19 PM | Computer Name = MIKELLE-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 9/6/2011 6:56:40 PM | Computer Name = MIKELLE-PC | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 9/6/2011 6:56:49 PM | Computer Name = MIKELLE-PC | Source = Service Control Manager | ID = 7034
Description = The MBAMService service terminated unexpectedly. It has done this
1 time(s).


< End of report >




GMER isnt working, it runs for a couple of hours and then just shuts off.

#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:46 AM

Posted 07 September 2011 - 07:43 AM

Hi,

Rootkit is present, let's try to nuke it and remove all malware remnants.



:step1: Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.




:step2: Please run TDSSKiller once again the way you run it before. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 pandyfackler

pandyfackler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:dark side of the moon
  • Local time:08:46 PM

Posted 07 September 2011 - 08:31 PM

Combofix log :

ComboFix 11-09-07.04 - Mikelle Duke 09/07/2011 18:06:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.757 [GMT -7:00]
Running from: c:\documents and settings\Mikelle Duke\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mikelle Duke\Application Data\PriceGong
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Mikelle Duke\Application Data\PriceGong\Data\z.xml
c:\program files\Object\bhO_project.dll
c:\windows\$NtUninstallKB23933$
c:\windows\$NtUninstallKB23933$\3352847706\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB23933$\3352847706\click.tlb
c:\windows\$NtUninstallKB23933$\3352847706\L\gcgwoeno
c:\windows\$NtUninstallKB23933$\3352847706\loader.tlb
c:\windows\$NtUninstallKB23933$\3352847706\U\@00000001
c:\windows\$NtUninstallKB23933$\3352847706\U\@000000c0
c:\windows\$NtUninstallKB23933$\3352847706\U\@000000cb
c:\windows\$NtUninstallKB23933$\3352847706\U\@000000cf
c:\windows\$NtUninstallKB23933$\3352847706\U\@80000000
c:\windows\$NtUninstallKB23933$\3352847706\U\@800000c0
c:\windows\$NtUninstallKB23933$\3352847706\U\@800000cb
c:\windows\$NtUninstallKB23933$\3352847706\U\@800000cf
c:\windows\$NtUninstallKB23933$\3921825857
c:\windows\system32\c_56341.nls
c:\windows\system32\mfc100deu.dll
.
Infected copy of c:\windows\system32\Drivers\fips.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_c7d8655a
.
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-06 22:55 . 2011-09-06 22:55 -------- dc----w- C:\tdsskiller
2011-09-05 04:16 . 2011-09-05 04:16 -------- d-----w- c:\program files\MyDocumentss
2011-09-05 04:09 . 2011-09-05 04:09 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-05 03:42 . 2011-09-05 03:42 -------- dc----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2011-08-24 10:01 . 2011-08-24 10:01 -------- d-----w- c:\documents and settings\Mikelle Duke\Local Settings\Application Data\PCHealth
2011-08-10 10:07 . 2011-08-10 10:16 -------- dc----w- c:\documents and settings\Default User
2011-08-10 08:10 . 2011-09-07 10:17 -------- d--h--w- c:\windows\$hf_mig$
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-06 10:16 . 2011-08-01 20:12 50112 --sha-w- c:\windows\system32\c_56341.nl_
2011-09-05 04:18 . 2008-04-13 23:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-11 03:00 . 2011-07-05 23:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-10 05:22 . 2010-11-09 15:33 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-07-22 05:27 . 2011-07-22 05:27 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-07-20 19:14 . 2011-07-20 19:15 151552 ----a-w- c:\windows\system32\nvRegDev.dll
2011-07-20 18:47 . 2011-07-20 18:49 667978 ----a-w- c:\windows\unins000.exe
2011-07-15 13:29 . 2008-04-13 23:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 18:20 . 2011-07-12 18:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 18:20 . 2011-07-12 18:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 18:20 . 2011-07-12 18:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 18:20 . 2011-07-12 18:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-11 05:34 . 2011-07-11 05:34 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-07-08 14:02 . 2008-04-13 23:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 20:26 . 2011-07-18 04:27 17280 ----a-w- c:\windows\system32\roboot.exe
2011-07-07 02:52 . 2011-08-01 22:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52 . 2011-08-01 22:58 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2010-11-10 16:59 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2008-04-13 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-13 23:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2008-04-13 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2008-04-13 23:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-13 23:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-08 00:35 . 2011-05-22 18:40 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-06 4599680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-20 421736]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Malwarebytes' Anti-Malware"="c:\program files\MyDocumentss\mbamgui.exe" [2011-07-07 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Mikelle Duke\Start Menu\Programs\Startup\
RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Mikelle Duke\Local Settings\Temp\{DE89CBE8-5C1D-4237-B480-2458BD8FFCA3}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-06 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Mikelle Duke\\Desktop\\Sims2Launcher.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Easy Assist\\Console\\8.1.6416.0\\SupportConsole.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Malwarebytes\\mbam.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUpdate.exe"=
"c:\\Documents and Settings\\Mikelle Duke\\My Documents\\TDSSKiller.exe"=
"c:\\Documents and Settings\\Mikelle Duke\\Desktop\\TDSSKiller.exe"=
"c:\\Program Files\\MyDocumentss\\mbam.exe"=
"c:\\tdsskiller\\TDSSKiller.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [7/12/2011 2:55 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/1/2011 3:58 PM 22712]
S0 cerc6;cerc6; [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys --> c:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
S1 MpKsl3b4d3763;MpKsl3b4d3763;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E39B2D07-32EE-4169-888B-289508F09B67}\MpKsl3b4d3763.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E39B2D07-32EE-4169-888B-289508F09B67}\MpKsl3b4d3763.sys [?]
S1 MpKslac4ad29d;MpKslac4ad29d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{23A0255F-18DF-4FAE-94F1-ED4EBA403DE7}\MpKslac4ad29d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{23A0255F-18DF-4FAE-94F1-ED4EBA403DE7}\MpKslac4ad29d.sys [?]
S1 MpKslbd7582f4;MpKslbd7582f4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAB27487-18A0-4D1E-A347-FC22A3E12FC3}\MpKslbd7582f4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAB27487-18A0-4D1E-A347-FC22A3E12FC3}\MpKslbd7582f4.sys [?]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MBAMService;MBAMService;c:\program files\MyDocumentss\mbamservice.exe [9/4/2011 9:16 PM 366640]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 12:58 PM 11336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php?ref=hp
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Mikelle Duke\Application Data\Mozilla\Firefox\Profiles\3sg6ir93.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-limewire plus+ - c:\program files\Limewire Plus+\limewire.exe
HKCU-Run-ISUSPM - c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
SafeBoot-00593416.sys
SafeBoot-07773152.sys
SafeBoot-16561669.sys
SafeBoot-34933508.sys
SafeBoot-37817985.sys
SafeBoot-57336528.sys
SafeBoot-66201845.sys
AddRemove-Game Maker 8.0 - c:\program files\Game_Maker8\Uninstal.exe
AddRemove-Paros_is1 - c:\program files\Paros\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-07 18:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.mrxsmb]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-07 18:24:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-08 01:24
.
Pre-Run: 26,006,163,456 bytes free
Post-Run: 26,293,280,768 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - CAD0663ECE50F439B89860E8C18B3480


TDSS log:

2011/09/07 18:29:37.0439 2620 TDSS rootkit removing tool 2.5.19.0 Sep 6 2011 19:23:56
2011/09/07 18:29:37.0970 2620 ================================================================================
2011/09/07 18:29:37.0970 2620 SystemInfo:
2011/09/07 18:29:37.0970 2620
2011/09/07 18:29:37.0970 2620 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/07 18:29:37.0970 2620 Product type: Workstation
2011/09/07 18:29:37.0970 2620 ComputerName: MIKELLE-PC
2011/09/07 18:29:37.0970 2620 UserName: Mikelle Duke
2011/09/07 18:29:37.0970 2620 Windows directory: C:\WINDOWS
2011/09/07 18:29:37.0970 2620 System windows directory: C:\WINDOWS
2011/09/07 18:29:37.0970 2620 Processor architecture: Intel x86
2011/09/07 18:29:37.0970 2620 Number of processors: 2
2011/09/07 18:29:37.0970 2620 Page size: 0x1000
2011/09/07 18:29:37.0970 2620 Boot type: Normal boot
2011/09/07 18:29:37.0970 2620 ================================================================================
2011/09/07 18:29:39.0454 2620 Initialize success
2011/09/07 18:29:41.0017 3728 ================================================================================
2011/09/07 18:29:41.0017 3728 Scan started
2011/09/07 18:29:41.0017 3728 Mode: Manual;
2011/09/07 18:29:41.0017 3728 ================================================================================
2011/09/07 18:29:42.0204 3728 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/07 18:29:42.0298 3728 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/07 18:29:42.0423 3728 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/07 18:29:42.0517 3728 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/07 18:29:42.0845 3728 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/07 18:29:42.0923 3728 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/07 18:29:43.0017 3728 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/07 18:29:43.0095 3728 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/07 18:29:43.0173 3728 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/07 18:29:43.0267 3728 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/07 18:29:43.0361 3728 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/07 18:29:43.0408 3728 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/07 18:29:43.0470 3728 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/07 18:29:43.0751 3728 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
2011/09/07 18:29:43.0908 3728 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/07 18:29:44.0017 3728 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/07 18:29:44.0142 3728 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/07 18:29:44.0298 3728 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/07 18:29:44.0470 3728 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/07 18:29:44.0892 3728 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/07 18:29:45.0001 3728 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/09/07 18:29:45.0095 3728 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/07 18:29:45.0189 3728 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/07 18:29:45.0267 3728 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/07 18:29:45.0345 3728 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/07 18:29:45.0423 3728 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/07 18:29:45.0501 3728 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/07 18:29:45.0579 3728 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/07 18:29:45.0658 3728 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/09/07 18:29:45.0751 3728 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/07 18:29:45.0861 3728 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/07 18:29:45.0986 3728 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/07 18:29:46.0111 3728 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/07 18:29:46.0251 3728 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/07 18:29:46.0376 3728 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/07 18:29:46.0501 3728 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/07 18:29:46.0579 3728 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/07 18:29:46.0642 3728 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/07 18:29:46.0720 3728 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/07 18:29:46.0783 3728 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/07 18:29:46.0861 3728 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/07 18:29:46.0939 3728 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/07 18:29:47.0001 3728 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/07 18:29:47.0079 3728 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/07 18:29:47.0173 3728 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/07 18:29:47.0267 3728 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/07 18:29:47.0376 3728 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/07 18:29:47.0486 3728 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/07 18:29:47.0579 3728 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
2011/09/07 18:29:47.0642 3728 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/07 18:29:47.0704 3728 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/07 18:29:47.0783 3728 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/07 18:29:47.0876 3728 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/07 18:29:47.0970 3728 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/07 18:29:48.0204 3728 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/07 18:29:48.0298 3728 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/07 18:29:48.0408 3728 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/07 18:29:48.0501 3728 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/07 18:29:48.0579 3728 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/07 18:29:48.0626 3728 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/07 18:29:48.0704 3728 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/07 18:29:48.0767 3728 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/07 18:29:48.0876 3728 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/07 18:29:48.0954 3728 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/07 18:29:49.0017 3728 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/07 18:29:49.0095 3728 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/07 18:29:49.0189 3728 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/07 18:29:49.0267 3728 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/07 18:29:49.0361 3728 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/07 18:29:49.0439 3728 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/07 18:29:49.0548 3728 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/07 18:29:49.0626 3728 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/07 18:29:49.0689 3728 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/07 18:29:49.0767 3728 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/07 18:29:49.0845 3728 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/07 18:29:49.0954 3728 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/07 18:29:50.0033 3728 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/07 18:29:50.0126 3728 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/07 18:29:50.0251 3728 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/09/07 18:29:50.0345 3728 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/07 18:29:50.0595 3728 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/07 18:29:50.0673 3728 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/07 18:29:50.0767 3728 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/07 18:29:50.0970 3728 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/07 18:29:51.0033 3728 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/07 18:29:51.0142 3728 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/07 18:29:51.0251 3728 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/07 18:29:51.0329 3728 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/07 18:29:51.0423 3728 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/07 18:29:51.0501 3728 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/07 18:29:51.0564 3728 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/07 18:29:51.0626 3728 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/07 18:29:51.0720 3728 s616bus (ef4b5a8d53f15cb269469dd4e4bb0109) C:\WINDOWS\system32\DRIVERS\s616bus.sys
2011/09/07 18:29:51.0829 3728 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/07 18:29:51.0861 3728 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/09/07 18:29:51.0954 3728 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/07 18:29:52.0064 3728 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/09/07 18:29:52.0173 3728 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/07 18:29:52.0267 3728 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/07 18:29:52.0361 3728 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/07 18:29:52.0501 3728 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/09/07 18:29:52.0626 3728 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/07 18:29:52.0720 3728 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/07 18:29:52.0783 3728 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/07 18:29:52.0861 3728 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/07 18:29:52.0954 3728 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/07 18:29:53.0204 3728 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/07 18:29:53.0329 3728 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/07 18:29:53.0454 3728 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/07 18:29:53.0486 3728 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/07 18:29:53.0579 3728 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/07 18:29:53.0736 3728 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/07 18:29:53.0845 3728 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/07 18:29:53.0892 3728 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/07 18:29:53.0954 3728 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/07 18:29:54.0001 3728 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/07 18:29:54.0017 3728 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/07 18:29:54.0079 3728 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/07 18:29:54.0173 3728 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/07 18:29:54.0236 3728 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/07 18:29:54.0283 3728 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/07 18:29:54.0345 3728 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/07 18:29:54.0439 3728 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/07 18:29:54.0486 3728 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/07 18:29:54.0579 3728 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/07 18:29:54.0673 3728 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/07 18:29:54.0814 3728 Boot (0x1200) (9f92b16c5adc8737b9942f62c78f3c8b) \Device\Harddisk0\DR0\Partition0
2011/09/07 18:29:54.0814 3728 ================================================================================
2011/09/07 18:29:54.0814 3728 Scan finished
2011/09/07 18:29:54.0814 3728 ================================================================================
2011/09/07 18:29:54.0829 3704 Detected object count: 0
2011/09/07 18:29:54.0829 3704 Actual detected object count: 0
2011/09/07 18:30:14.0126 3668 Deinitialize success




(Also just wanted to say, even if this virus isn't over i really appreciate all the hard work that goes into this site. It's really amazing!)

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:46 AM

Posted 08 September 2011 - 07:05 AM

Hi,

That's a good start, the rootkit was taken care of. Let's search for possible remnants and remove them.


:step1: Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\windows\system32\roboot.exe

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


:step2: Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 pandyfackler

pandyfackler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:dark side of the moon
  • Local time:08:46 PM

Posted 08 September 2011 - 10:13 PM

when i try to use virscan i get this message after clicking the upload button:

Error: returned status code 403 Forbidden

MBAM report:


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7680

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/8/2011 8:12:56 PM
mbam-log-2011-09-08 (20-12-56).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 268739
Time elapsed: 2 hour(s), 39 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir (Backdoor.0Access) -> Quarantined and deleted successfully.
c:\system volume information\_restore{b0a71a21-6a07-41fc-9fb6-87e986f073a9}\RP1\A0000012.ini (Backdoor.0Access) -> Quarantined and deleted successfully.
c:\windows\assembly\gac_msil\ (Backdoor.0Access) -> Delete on reboot.

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:46 AM

Posted 09 September 2011 - 09:11 AM

Hi,

c:\windows\assembly\gac_msil\ (Backdoor.0Access) -> Delete on reboot.


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 pandyfackler

pandyfackler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:dark side of the moon
  • Local time:08:46 PM

Posted 09 September 2011 - 11:21 AM

I would definitely like to reformat and reinstall the OS
I read both of those links as well and saw that it is possible to back up some of your files if that's true could you please include that information in the instructions?
Thank you.

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:46 AM

Posted 09 September 2011 - 11:46 AM

Good choice. :)

Do not backup any programs/applications/installers like .exe, .scr, .htm, .html, .xml, .zip/.rar files...
The reason for this is because these files may be infected also. If you replace them after the re installation of OS, it will surely re-infect you again.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 pandyfackler

pandyfackler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:dark side of the moon
  • Local time:08:46 PM

Posted 09 September 2011 - 06:46 PM

okay.

im ready!

...but i need some direction so i don't go screwing my computer up :)

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:46 AM

Posted 11 September 2011 - 06:25 AM

Hi,

Sorry about the delay.

Here is a good tutorial about reformatting and reinstalling the OS. http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users