Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 Rouein

Rouein

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 10 August 2011 - 11:09 AM

Hi,
I have this infection through “Repair system” malware. I was able to remove “repair system” malware. However this search redirect virus is still hanging. I tried to use TDSSkiller program to detect & remove it. But unable to run the program. I tried different tricks like: renaming the program or load it from another computer and paste it to infected computer but none of them worked.
Since I got the infection, beside redirect problem, I have other issues like:
1. No web sound (sound is fine from CD/DVD drives)
2. Blue page screen with different fault reports : 0x00000050 or 0x0000007B
3. Some programs which need to be connected to internet doesn’t run and I receive fault message “ a debugger has been found running in your system, please unload it from your memory and restart your program)
4. Bell internet security is my primary security system which its updating is disabled by the virus.
I ran Hijackthis program and below you will see full report. I didn’t run Combofix removal software yet.
Waiting for your instruction and thanks in advance for your help.
Rouein

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:02:54 AM, on 8/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Bell Internet Security Services\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bell\Bell Internet Security Services\rps.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DriverUpdate\DriverUpdate.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Bell\Internet Service Advisor\ServicepointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Personal Vault\VaultClientSRV.exe
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\Program Files\Bell\Internet Service Advisor\BISAComHandler.exe
C:\Program Files\Bell\Internet Service Advisor\BISA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSMonitor.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.msn.com/?lang=en-ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/?lang=en-ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Date Convertor] C:\Program Files\ZPC\reminder.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Bell Internet Security Services\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DriverUpdate] "C:\Program Files\DriverUpdate\DriverUpdate.exe" -boot
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Bell Internet Security Services\IdxClnR.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/WBXclient-T27L10NSP24-10113/webex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/m3/photouploadcontrol/MSNPUpld.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Bell Internet Security Services (Radialpoint Security Services) - Bell - C:\Program Files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe
O23 - Service: RadialpointIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Bell Internet Security Services Firewall (RP_FWS) - Bell - C:\Program Files\Bell\Bell Internet Security Services\Fws.exe
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Bell\Internet Service Advisor\ServicepointService.exe
O23 - Service: Personal Vault Backup Service (VaultClientSRV) - Bell Canada - C:\Program Files\Personal Vault\VaultClientSRV.exe
O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - Bell Canada - C:\Program Files\Personal Vault\VaultClientUpgrade.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13529 bytes

BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:01 PM

Posted 12 August 2011 - 02:05 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a log from the GMER anti-rootkit scanner, but, first, we need to disable your CD Emulation drivers.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the DDS & RKU logs, and include the Attach.txt as an attachment. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 Rouein

Rouein
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 13 August 2011 - 08:06 PM

Hi Shannon,
Thanks in advance for your support. I followed all instructions and all programs went without problem. I am posting and attaching required reports. The only issue which is happening more and more is blue screen at start up. I am now getting it even at Windows safe mode. The Blue screen technical information is:
STOP: 0x0000007B (0xB84CB528, 0xC0000034, 0x00000000, 0x00000000)

Regards
Rouein

DDS report
.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Rouein joon at 16:52:41 on 2011-08-13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1600 [GMT -4:00]
.
AV: Bell Internet Security Services Anti-Virus *Enabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Bell Internet Security Services Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe
C:\Program Files\Bell\Internet Service Advisor\ServicepointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: @c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DriverUpdate] "c:\program files\driverupdate\DriverUpdate.exe" -boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Date Convertor] c:\program files\zpc\reminder.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoLogoff = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://beowulf.schulich.yorku.ca/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP24-10113/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/m3/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 207.164.234.193 207.164.234.129
TCP: Interfaces\{4341495C-689B-4945-A62F-9021CDE095E6} : DhcpNameServer = 207.164.234.193 207.164.234.129
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [2011-1-13 902432]
R2 Radialpoint Security Services;Bell Internet Security Services;c:\program files\bell\bell internet security services\RpsSecurityAwareR.exe [2010-1-18 165408]
R2 ServicepointService;ServicepointService;c:\program files\bell\internet service advisor\ServicepointService.exe [2011-2-24 689464]
S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.sys [?]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S1 MpKsl08a70b1e;MpKsl08a70b1e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d16d79e-76a1-4def-8ee1-2e9ea1abb743}\MpKsl08a70b1e.sys [2011-8-10 28752]
S1 MpKsl3d9aaa2d;MpKsl3d9aaa2d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d16d79e-76a1-4def-8ee1-2e9ea1abb743}\MpKsl3d9aaa2d.sys [2011-8-10 28752]
S1 MpKsl8356eada;MpKsl8356eada;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d16d79e-76a1-4def-8ee1-2e9ea1abb743}\MpKsl8356eada.sys [2011-8-10 28752]
S1 MpKsld0c00340;MpKsld0c00340;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d16d79e-76a1-4def-8ee1-2e9ea1abb743}\MpKsld0c00340.sys [2011-8-12 28752]
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-1-13 2326920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-18 54752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\bell\bell internet security services\avg\identity protection\agent\bin\AVGIDSAgent.exe [2011-3-20 5832712]
S2 VaultClientSRV;Personal Vault Backup Service;c:\program files\personal vault\VaultClientSRV.exe [2008-3-7 1051728]
S2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\personal vault\VaultClientUpgrade.exe [2008-3-7 56400]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2006-5-8 347648]
S3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-1-13 159168]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-4-30 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\bell\bell internet security services\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2011-3-20 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\bell\bell internet security services\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2011-3-20 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\bell\bell internet security services\avg\identity protection\agent\drivers\AVGIDSShim.sys [2011-3-20 25736]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-3-20 12984]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-3-3 223128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-12 23:58:16 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d16d79e-76a1-4def-8ee1-2e9ea1abb743}\MpKsld0c00340.sys
2011-08-10 15:57:36 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d16d79e-76a1-4def-8ee1-2e9ea1abb743}\MpKsl8356eada.sys
2011-08-10 15:47:11 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d16d79e-76a1-4def-8ee1-2e9ea1abb743}\MpKsl3d9aaa2d.sys
2011-08-10 15:29:53 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d16d79e-76a1-4def-8ee1-2e9ea1abb743}\MpKsl08a70b1e.sys
2011-08-09 18:54:55 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0d16d79e-76a1-4def-8ee1-2e9ea1abb743}\mpengine.dll
2011-08-07 15:01:01 388096 ----a-r- c:\documents and settings\rouein joon\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-07 15:01:01 -------- d-----w- c:\program files\Trend Micro
2011-08-05 22:09:15 -------- d-----w- c:\program files\CCleaner
2011-08-05 18:59:14 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-05 18:58:25 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-08-05 17:51:49 -------- d-----w- c:\program files\MetaTrader 4- Alpari UK
2011-08-05 02:11:59 988032 ----a-w- c:\windows\system32\drivers\HSF_DPV.sys
2011-08-05 02:11:58 731136 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2011-08-05 02:11:58 212992 ----a-w- c:\windows\system32\UCI32M19.dll
2011-08-05 02:11:58 209536 ----a-w- c:\windows\system32\drivers\HSFHWAZL.sys
2011-08-04 18:41:52 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-08-04 14:26:40 -------- d-----w- c:\documents and settings\rouein joon\application data\Malwarebytes
2011-08-04 14:26:29 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-04 14:01:21 -------- d-----w- c:\program files\Moozy
2011-08-04 10:55:31 -------- d-----w- c:\documents and settings\rouein joon\local settings\application data\PCHealth
2011-08-03 18:16:35 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-03 18:11:56 -------- d-----w- c:\program files\Microsoft Security Client
2011-07-23 12:55:39 -------- d-----w- C:\KErfani
.
==================== Find3M ====================
.
2011-08-10 15:48:04 12984 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2011-08-04 18:27:47 96384 ----a-w- c:\windows\system32\drivers\sptd7181.sys
2011-06-22 10:30:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1032GSX rev.AS022D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe >>UNKNOWN [0x8A8C3C78]<<
_asm { MOV EAX, 0x8a8c3b98; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a90f684; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A7E5AB8]
\Driver\Disk[0x8A841A08] -> IRP_MJ_CREATE -> 0x8A8C3C78
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x100; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSW ; JMP FAR 0x0:0x62c; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x8a8c3c78
\Driver\atapi -> 0x8a883ed1
user & kernel MBR OK
Warning: possible MBR rootkit infection !
.
============= FINISH: 16:59:57.81 ===============

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xB65B9000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6254592 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 179.68 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6070272 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 179.68 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2069376 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2069376 bytes
0x804D7000 RAW 2069376 bytes
0x804D7000 WMIxWDM 2069376 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAFA7E000 C:\WINDOWS\system32\drivers\sthda.sys 1179648 bytes (IDT, Inc., IDT PC Audio)
0xAF934000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB7C5A000 tdrpm251.sys 897024 bytes (Acronis, Acronis Try&Decide Volume Filter Driver)
0xAF881000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xA6E85000 C:\WINDOWS\System32\Drivers\0656f412.sys 577536 bytes
0xB7DEC000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB7D35000 timntr.sys 565248 bytes (Acronis, Acronis Backup Archive Explorer)
0xA9449000 C:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0xA94E0000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB6515000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 425984 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xB1C33000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA95C5000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA7892000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB3F98000 C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 335872 bytes (REDC, RICOH XD SM Driver)
0xBD5DC000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB7EBA000 bdfsfltr.sys 282624 bytes (BitDefender S.R.L. Bucharest, ROMANIA, BitDefender AntiVirus FS filter driver)
0xA6E1C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAFA26000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB3F69000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA79DA000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB7DBF000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA9550000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA7E56000 C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys 163840 bytes (AVG Technologies , IDS Application Activity Monitor Driver.)
0xB657D000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA959D000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xAE803000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xA77A4000 C:\WINDOWS\system32\DRIVERS\afcdp.sys 155648 bytes (Acronis, File Level CDP Kernel Helper)
0xA94BA000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB7C35000 snapman.sys 151552 bytes (Acronis, Acronis Snapshot API)
0xA6F12000 C:\WINDOWS\System32\Drivers\d40bf8b1.sys 147456 bytes
0xA7D92000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xAFA5A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB64F1000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB3F46000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA957B000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D1000 ACPI_HAL 131840 bytes
0x806D1000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7F11000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB7BF6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA90A1000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xA9088000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xB7F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA9431000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB7E8E000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB3F07000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA90BA000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xB7E79000 DefragFS.sys 86016 bytes (Raxco Software, Inc., Defragmentation Support Driver)
0xB7EA5000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xA7C8D000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB3FEA000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0xB65A5000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA961E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB7C22000 sfvfs02.sys 77824 bytes (Protection Technology, StarForce Protection VFS Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB7C10000 sfdrv01.sys 73728 bytes (Protection Technology, StarForce Protection Environment Driver)
0xB7EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB3E56000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB3FFE000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 69632 bytes (REDC, RICOH SD/MMC Driver)
0xB71AB000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 65536 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xA971D000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB8278000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB8138000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xB8108000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xA979D000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xB21FD000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB81C8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xABD97000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB3404000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB8118000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB27DB000 C:\WINDOWS\system32\DRIVERS\rp_pkt32.sys 57344 bytes (Radialpoint, Inc., Radialpoint Filter)
0xA977D000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0xB80F8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB81A8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB81D8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80D8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB4E79000 C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 49152 bytes (Microsoft Corporation, Family Safety Filter Driver (TDI))
0xB8208000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB4EC9000 C:\WINDOWS\system32\DRIVERS\rp_skt32.sys 49152 bytes (Radialpoint Inc., Radialpoint Filter)
0xA976D000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB81F8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB81B8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xABDA7000 C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys 40960 bytes (AVG Technologies , IDS Application Activity Monitor Filter Driver.)
0xB81E8000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xB80A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB3454000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB27EB000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB3EC7000 C:\Program Files\Bell\Bell Internet Security Services\BitDefender\trufos.sys 40960 bytes (BitDefender S.R.L., Trufos Kernel Module)
0xA7952000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xB80E8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA9E5B000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB71BB000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB720B000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA9E4B000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA978D000 C:\WINDOWS\system32\DRIVERS\point32.sys 36864 bytes (Microsoft Corporation, Point32k.sys)
0xB80C8000 sfsync02.sys 36864 bytes (Protection Technology, StarForce Protection Synchronization Driver)
0xB3EE7000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xA97AD000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB3C23000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xAAA08000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB8340000 sfhlp02.sys 32768 bytes (Protection Technology, StarForce Protection Helper Driver)
0xB8410000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xAAA30000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB8348000 risdptsk.sys 28672 bytes (REDC, RICOH SD/MMC Driver)
0xB83A8000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xAC5AC000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB83D0000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xB8370000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB83C0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xA9F07000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D16D79E-76A1-4DEF-8EE1-2E9EA1ABB743}\MpKsl08a70b1e.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xA9F1F000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D16D79E-76A1-4DEF-8EE1-2E9EA1ABB743}\MpKsl3d9aaa2d.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xABF55000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D16D79E-76A1-4DEF-8EE1-2E9EA1ABB743}\MpKsl6d180f0e.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xAAA20000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xB8408000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xAAA18000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB486F000 C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys 20480 bytes (AVG Technologies , IDS Application Activity Monitor Loader Driver.)
0xAAA10000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xB485F000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Inc, OMCI Device Driver)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB8470000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8338000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB8478000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB8360000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xAAA48000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA99E5000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xB84C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB7AE1000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xA7770000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xB3F42000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA9070000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xA7564000 C:\Program Files\Bell\Bell Internet Security Services\BitDefender\profos.sys 16384 bytes (BitDefender S.R.L., Profos Kernel Module)
0xACEBD000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB84BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xA96A1000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xAA972000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB7B25000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xA99E9000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB7B0D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xAA96A000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xAA966000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xB85A8000 00000027 8192 bytes
0xABE0D000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xAB576000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xABE0F000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xABE0B000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xABE09000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xB863C000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xB85B8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xA9A2B000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xB863A000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB872D000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xABF67000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA965A000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xA97F2000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xA97F3000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
!!!!!!!!!!!Hidden driver: 0x8A8EF260 00000152 0 bytes
==============================================
>Stealth
==============================================
0x8A8A8F70 Unknown page with executable code, 144 bytes
0x8A8AB65C Unknown page with executable code, 2468 bytes
0x8A8AD54A Unknown page with executable code, 2742 bytes
0x8A8AB06E Unknown thread object [ ETHREAD 0x8A8E1020 ] TID: 240, 600 bytes
0x8A8ABB7F Unknown thread object [ ETHREAD 0x8A8E1B30 ] TID: 248, 600 bytes
0x8A8ACA57 Unknown thread object [ ETHREAD 0x8A8E18B8 ] TID: 252, 600 bytes
0x8A8AAD65 Unknown page with executable code, 667 bytes
0x8A8AAC86 Unknown page with executable code, 890 bytes

Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:01 PM

Posted 14 August 2011 - 03:29 PM

Hi-

Thanks for the logs. It does look like you have a rootkit infection. We need to check into it more and get into a position to delete it.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If the AV Scan window appears, select (none).
  • Click Scan (if asked to update the Avast anti-virus definitions, click on No).
  • When you get the "Scan finished successfully" message, click the save log button, save it to your desktop (MBR.txt) and post it in your next reply.
  • It will also copy the MBR (Master Boot Record) into a file on your desktop as MBR.dat. Leave it on your desktop.

Copy the aswMBR report(MBR.txt) into your reply.
Shannon

#5 Rouein

Rouein
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 14 August 2011 - 06:03 PM

Hi Shannon,
Below you will find MBR.txt

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-14 18:37:24
-----------------------------
18:37:24.671 OS Version: Windows 5.1.2600 Service Pack 3
18:37:24.671 Number of processors: 1 586 0xE08
18:37:24.671 ComputerName: ROUEIN UserName:
18:37:55.796 Initialze error C000010E - driver not loaded
18:37:57.186 write error "aswCmnB.dll". The process cannot access the file because it is being used by another process.
18:38:03.624 Service scanning
18:38:08.483 Service MpKsl4f7cbc20 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E1F08D6B-517B-4315-9296-FCEAB421B987}\MpKsl4f7cbc20.sys **LOCKED** 32
18:38:10.467 Modules scanning
18:38:10.483 Disk 0 trace - called modules:
18:38:10.483
18:38:10.483 Scan finished successfully
18:39:53.733 The log file has been saved successfully to "E:\Bleeping Forum\aswMBR.txt"


aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-14 18:40:31
-----------------------------
18:40:31.858 OS Version: Windows 5.1.2600 Service Pack 3
18:40:31.858 Number of processors: 1 586 0xE08
18:40:31.858 ComputerName: ROUEIN UserName:
18:40:35.717 Initialize success
18:40:44.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:40:44.046 Disk 0 Vendor: TOSHIBA_MK1032GSX AS022D Size: 93958MB BusType: 3
18:40:46.077 Disk 0 MBR read successfully
18:40:46.077 Disk 0 MBR scan
18:40:46.077 Disk 0 TDL4@MBR code has been found
18:40:46.077 Disk 0 MBR hidden
18:40:46.077 Disk 0 MBR [TDL4] **ROOTKIT**
18:40:46.077 Disk 0 trace - called modules:
18:40:46.077 ntkrnlpa.exe CLASSPNP.SYS disk.sys sfsync02.sys hal.dll >>UNKNOWN [0x8a8deed1]<<
18:40:46.077 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a89cab8]
18:40:46.092 3 CLASSPNP.SYS[b80f8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a8bd940]
18:40:46.092 \Driver\atapi[0x8a9433f8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys[0xb80c98b4]
18:40:46.092 Scan finished successfully
18:41:26.921 Disk 0 MBR has been saved successfully to "E:\Bleeping Forum\MBR.dat"
18:41:38.014 The log file has been saved successfully to "E:\Bleeping Forum\aswMBR.txt"


Thanks
Rouein

#6 Rouein

Rouein
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 14 August 2011 - 06:44 PM

Hi,
Please consider the second aswMBR report the first one is not complete.
After aswMBR program finished. My Windows security essential found following infection and removed it.
Trojan: DOS/Alureon.C
file:C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{FCF957D9-7915-4014-B261-1C9FB473B3D8}-MBR.dat

Situation has improved however redirecting happend few times.

Regards
Rouein

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:01 PM

Posted 14 August 2011 - 07:34 PM

Hi-

Ok. Let's try to get rid of the main infection

Re-Run aswMBR

  • In the AV Scan window, select (none).
  • Click Scan (if asked to update the Avast anti-virus definitions, click on No.)
  • When you get the "Scan finished successfully" message, click the FIX or the FixMBR button, whichever is lit.
  • There is a slight pause after clicking either the 'Fix' or 'FixMBR' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing above message will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, please copy in the aswMBR report and the ComboFix report. How is the computer running now?
Shannon

#8 Rouein

Rouein
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 14 August 2011 - 09:40 PM

Thanks Shannon.
aswMBR removed the infection. Unfortunately I missed to save the log.
I ran Combofix without problem and below you will find the report.
I think computer is now running OK. I used the search engines several times and so far so good.

Thank you so much for your great help and support.

Regards
Rouein

ComboFix 11-08-05.03 - Rouein joon 08/14/2011 21:59:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1304 [GMT -4:00]
Running from: c:\documents and settings\Rouein joon\Desktop\ComboFix.exe
AV: Bell Internet Security Services Anti-Virus *Disabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Bell Internet Security Services Firewall *Disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rouein joon\Start Menu\Programs\System Repair
c:\program files\INSTALL.LOG
c:\windows\system32\system
.
.
((((((((((((((((((((((((( Files Created from 2011-07-15 to 2011-08-15 )))))))))))))))))))))))))))))))
.
.
2011-08-15 01:46 . 2011-08-15 01:46 -------- d-----w- c:\windows\LastGood
2011-08-15 01:44 . 2011-08-15 01:44 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2830F876-5F9A-4416-98FA-E7387D7E2753}\MpKsl7f1fe50c.sys
2011-08-14 22:43 . 2011-07-13 00:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2830F876-5F9A-4416-98FA-E7387D7E2753}\mpengine.dll
2011-08-13 21:38 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-13 21:37 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-09 02:31 . 2011-08-09 02:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-08-07 15:01 . 2011-08-07 15:01 388096 ----a-r- c:\documents and settings\Rouein joon\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-07 15:01 . 2011-08-07 15:01 -------- d-----w- c:\program files\Trend Micro
2011-08-05 22:09 . 2011-08-05 22:09 -------- d-----w- c:\program files\CCleaner
2011-08-05 18:59 . 2011-08-05 18:59 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-05 18:58 . 2011-08-05 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-08-05 17:51 . 2011-08-15 01:47 -------- d-----w- c:\program files\MetaTrader 4- Alpari UK
2011-08-05 02:11 . 2000-01-01 00:00 988032 ----a-w- c:\windows\system32\drivers\HSF_DPV.sys
2011-08-05 02:11 . 2000-01-01 00:00 731136 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2011-08-05 02:11 . 2000-01-01 00:00 212992 ----a-w- c:\windows\system32\UCI32M19.dll
2011-08-05 02:11 . 2000-01-01 00:00 209536 ----a-w- c:\windows\system32\drivers\HSFHWAZL.sys
2011-08-04 18:41 . 2011-07-13 00:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-04 14:26 . 2011-08-04 14:26 -------- d-----w- c:\documents and settings\Rouein joon\Application Data\Malwarebytes
2011-08-04 14:26 . 2011-08-04 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-04 14:01 . 2011-08-04 14:12 -------- d-----w- c:\program files\Moozy
2011-08-04 10:55 . 2011-08-04 10:55 -------- d-----w- c:\documents and settings\Rouein joon\Local Settings\Application Data\PCHealth
2011-08-03 18:16 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-03 18:11 . 2011-08-03 18:13 -------- d-----w- c:\program files\Microsoft Security Client
2011-07-23 12:55 . 2011-08-01 21:46 -------- d-----w- C:\KErfani
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-15 01:45 . 2011-03-20 17:15 12984 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2011-08-04 18:27 . 2006-03-03 20:31 96384 ----a-w- c:\windows\system32\drivers\sptd7181.sys
2011-07-15 13:29 . 2006-02-22 19:17 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-10 18:51 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2004-08-10 19:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-10 18:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
2011-06-22 10:30 . 2011-06-08 10:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-20 17:44 . 2004-08-10 18:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2010-01-17 23:08 503808 ----a-w- c:\program files\Personal Vault\VaultClientMenu.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-10-20 2836376]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-06 68856]
"DriverUpdate"="c:\program files\DriverUpdate\DriverUpdate.exe" [2011-04-01 24000352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2000-01-01 13594624]
"nwiz"="nwiz.exe" [2000-01-01 1657376]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"Date Convertor"="c:\program files\ZPC\reminder.exe" [2006-01-21 61440]
"NVHotkey"="nvHotkey.dll" [2000-01-01 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2000-01-01 86016]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5048488]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2000-01-01 1797008]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoLogoff"= 01000000
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WUA-2340
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]
 [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-09-12 21:31 357384 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BISA.exe]
2011-01-06 20:56 4318520 ----a-w- c:\program files\Bell\Internet Service Advisor\BISA.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-11-12 08:42 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-10-30 19:05 77824 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdate]
2011-04-01 12:44 24000352 ----a-w- c:\program files\DriverUpdate\DriverUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 02:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
2008-04-03 15:45 151552 ------w- c:\program files\CyberLink\PCM4Everio\EverioService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-05-01 00:51 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 06:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2010-05-10 19:12 439568 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2000-01-01 00:00 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-06 01:33 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bell\\Internet Service Advisor\\ServicepointService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [1/13/2011 4:00 PM 902432]
R1 MpKsl7f1fe50c;MpKsl7f1fe50c;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2830F876-5F9A-4416-98FA-E7387D7E2753}\MpKsl7f1fe50c.sys [8/14/2011 9:44 PM 28752]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [1/13/2011 4:00 PM 2326920]
R2 Radialpoint Security Services;Bell Internet Security Services;c:\program files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe [1/18/2010 4:11 PM 165408]
R2 ServicepointService;ServicepointService;c:\program files\Bell\Internet Service Advisor\ServicepointService.exe [2/24/2011 11:26 AM 689464]
R2 VaultClientSRV;Personal Vault Backup Service;c:\program files\Personal Vault\VaultClientSRV.exe [3/7/2008 1:32 PM 1051728]
R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\Personal Vault\VaultClientUpgrade.exe [3/7/2008 1:33 PM 56400]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [1/13/2011 4:00 PM 159168]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [3/20/2011 1:27 PM 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [3/20/2011 1:27 PM 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [3/20/2011 1:27 PM 25736]
S0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys --> c:\windows\system32\drivers\AVGIDSEH.sys [?]
S1 MpKsl8356eada;MpKsl8356eada;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D16D79E-76A1-4DEF-8EE1-2E9EA1ABB743}\MpKsl8356eada.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D16D79E-76A1-4DEF-8EE1-2E9EA1ABB743}\MpKsl8356eada.sys [?]
S1 MpKsld0c00340;MpKsld0c00340;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D16D79E-76A1-4DEF-8EE1-2E9EA1ABB743}\MpKsld0c00340.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D16D79E-76A1-4DEF-8EE1-2E9EA1ABB743}\MpKsld0c00340.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:09 PM 135664]
S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [3/20/2011 1:27 PM 5832712]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [5/8/2006 8:10 PM 347648]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/30/2009 8:51 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:09 PM 135664]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [3/20/2011 1:15 PM 12984]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [3/3/2006 4:33 PM 223128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/3/2006 4:31 PM 642560]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 982DAC41
*NewlyCreated* - D6A60564
*NewlyCreated* - MPKSL7F1FE50C
*Deregistered* - 982dac41
*Deregistered* - d6a60564
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-07-29 c:\windows\Tasks\DriverUpdate Scan.job
- c:\program files\DriverUpdate\DriverUpdate.exe [2011-04-01 12:44]
.
2011-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 22:09]
.
2011-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 22:09]
.
2011-08-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2011-08-15 c:\windows\Tasks\User_Feed_Synchronization-{F4D62BC4-E93C-443E-88E8-6E7935EADD94}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 207.164.234.193 207.164.234.129
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-14 22:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1452)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\NTMARTA.DLL
.
Completion time: 2011-08-14 22:04:56
ComboFix-quarantined-files.txt 2011-08-15 02:04
.
Pre-Run: 43,467,784,192 bytes free
Post-Run: 43,937,067,008 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 5A3F4C019E9DD383544C7158F15AA146

#9 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:01 PM

Posted 15 August 2011 - 07:28 AM

Hi-

Glad to hear that things are better.

I noticed from the logs that you have two anti-virus softwares packages active - Bell Internet Security Services Anti-Virus & Microsoft Security Essentials. You should not have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as products fight for access to files which are being opened since they need to be checked for viruses. In general terms, the programs may conflict and cause:
False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
System Performance Problems: Your system may lock up due to multiple products attempting to access the same file at the same time.
Please go to add/remove programs in the control panel and remove all anti-virus programs but one.

Next, please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Next, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, please copy in the MBAM report and the two OTL reports.
Shannon

#10 Rouein

Rouein
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 15 August 2011 - 09:46 AM

Hi Shannon,
I disabled the Microsoft Security essential and will only use Bell security. Is this OK? Or you still suggest to remove it.
I ran MBAM program and no infection was found below you will find the 3 reports.

Thanks and appreciate your continued support.

Regards
Rouein

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7469

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/15/2011 10:08:16 AM
mbam-log-2011-08-15 (10-08-16).txt

Scan type: Full scan (C:\|)
Objects scanned: 263309
Time elapsed: 1 hour(s), 17 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL logfile created on: 8/15/2011 10:15:51 AM - Run 1
OTL by OldTimer - Version 3.2.26.4 Folder = C:\Documents and Settings\Rouein joon\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 40.12% Memory free
3.35 Gb Paging File | 2.25 Gb Available in Paging File | 67.37% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 88.70 Gb Total Space | 41.12 Gb Free Space | 46.36% Space Free | Partition Type: NTFS
Drive E: | 976.13 Mb Total Space | 752.25 Mb Free Space | 77.06% Space Free | Partition Type: FAT

Computer Name: ROUEIN | User Name: Rouein joon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/15 10:12:14 | 000,579,584 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Desktop\OTL.exe
PRC - [2011/07/08 07:55:36 | 001,047,656 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/04/01 08:44:48 | 024,000,352 | ---- | M] (SlimWare Utilities, Inc.) -- C:\Program Files\DriverUpdate\DriverUpdate.exe
PRC - [2011/01/13 16:00:49 | 002,326,920 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2011/01/06 16:56:50 | 000,689,464 | ---- | M] (Radialpoint Inc.) -- C:\Program Files\Bell\Internet Service Advisor\ServicepointService.exe
PRC - [2011/01/06 16:56:46 | 004,318,520 | ---- | M] (Bell) -- C:\Program Files\Bell\Internet Service Advisor\BISA.exe
PRC - [2011/01/06 16:56:46 | 000,488,760 | ---- | M] (Radialpoint Inc.) -- C:\Program Files\Bell\Internet Service Advisor\BISAComHandler.exe
PRC - [2010/01/18 16:11:16 | 000,165,408 | ---- | M] (Bell) -- C:\Program Files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe
PRC - [2010/01/18 16:11:12 | 000,377,576 | ---- | M] (Bell) -- C:\Program Files\Bell\Bell Internet Security Services\RPS.exe
PRC - [2010/01/18 16:10:12 | 000,371,920 | ---- | M] (Bell) -- C:\Program Files\Bell\Bell Internet Security Services\Fws.exe
PRC - [2010/01/17 19:08:58 | 000,056,400 | ---- | M] (Bell Canada) -- C:\Program Files\Personal Vault\VaultClientUpgrade.exe
PRC - [2010/01/17 19:08:54 | 001,051,728 | ---- | M] (Bell Canada) -- C:\Program Files\Personal Vault\VaultClientSRV.exe
PRC - [2009/11/02 15:26:48 | 000,592,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\bin\AVGIDSMonitor.exe
PRC - [2009/10/19 21:52:34 | 002,836,376 | ---- | M] (PC Tools) -- C:\Program Files\Registry Mechanic\RegMech.exe
PRC - [2009/09/12 17:31:30 | 000,660,520 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2009/09/12 17:30:48 | 005,048,488 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2008/01/31 14:01:38 | 000,159,744 | R--- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
PRC - [2006/01/21 12:31:11 | 000,061,440 | ---- | M] (HOME) -- C:\Program Files\ZPC\reminder.exe
PRC - [2005/12/06 12:45:14 | 000,839,680 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/15 10:12:14 | 000,579,584 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Desktop\OTL.exe
MOD - [2011/05/26 18:04:53 | 000,056,224 | ---- | M] () -- \\?\C:\Program Files\Bell\Bell Internet Security Services\BitDefender\BDCoreEngines\BDCoreSet2\avxdisk.dll
MOD - [2011/01/06 16:47:38 | 000,158,208 | ---- | M] () -- C:\Program Files\Bell\Internet Service Advisor\Windows7Features.dll
MOD - [2010/01/17 18:58:42 | 000,147,456 | ---- | M] () -- C:\Program Files\Personal Vault\libexpat.dll
MOD - [2009/11/06 11:53:08 | 000,202,752 | ---- | M] () -- C:\Program Files\Bell\Bell Internet Security Services\BitDefender\smartscn.dll
MOD - [2009/11/02 15:26:48 | 000,077,824 | ---- | M] () -- C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\bin\boost_log-vc71-mt-1_32.dll
MOD - [2009/11/02 15:26:48 | 000,057,344 | ---- | M] () -- C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\bin\boost_thread-vc71-mt-1_32.dll
MOD - [2009/10/23 13:25:54 | 000,225,280 | ---- | M] () -- C:\Program Files\Bell\Bell Internet Security Services\BitDefender\bdfltlib.dll
MOD - [2005/12/06 12:45:34 | 000,073,728 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2005/11/12 04:42:14 | 000,086,016 | ---- | M] () -- C:\WINDOWS\system32\preflib.dll
MOD - [2005/11/12 04:42:00 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll
MOD - [2005/10/13 14:53:36 | 000,090,223 | ---- | M] () -- C:\Program Files\Dell\QuickSet\preflibcl.dll
MOD - [2005/10/07 16:05:32 | 000,125,440 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [1999/12/31 20:00:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (wuauserv)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/03/20 15:48:04 | 000,315,392 | ---- | M] (S.C. BitDefender S.R.L) [On_Demand | Stopped] -- C:\Program Files\Bell\Bell Internet Security Services\BitDefender\scan.dll -- (scan)
SRV - [2011/01/13 16:00:49 | 002,326,920 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2011/01/06 16:56:50 | 000,689,464 | ---- | M] (Radialpoint Inc.) [Auto | Running] -- C:\Program Files\Bell\Internet Service Advisor\ServicepointService.exe -- (ServicepointService)
SRV - [2010/01/18 16:11:16 | 000,165,408 | ---- | M] (Bell) [Auto | Running] -- C:\Program Files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe -- (Radialpoint Security Services)
SRV - [2010/01/18 16:10:12 | 000,371,920 | ---- | M] (Bell) [Auto | Running] -- C:\Program Files\Bell\Bell Internet Security Services\Fws.exe -- (RP_FWS)
SRV - [2010/01/17 19:08:58 | 000,056,400 | ---- | M] (Bell Canada) [Auto | Running] -- C:\Program Files\Personal Vault\VaultClientUpgrade.exe -- (VaultClientUpgrade)
SRV - [2010/01/17 19:08:54 | 001,051,728 | ---- | M] (Bell Canada) [Auto | Running] -- C:\Program Files\Personal Vault\VaultClientSRV.exe -- (VaultClientSRV)
SRV - [2009/11/02 15:26:48 | 005,832,712 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe -- (RadialpointIDSAgent)
SRV - [2009/09/12 17:31:30 | 000,660,520 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2009/06/08 12:07:50 | 001,033,480 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe -- (PDEngine)
SRV - [2009/06/08 12:07:48 | 000,931,080 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe -- (PDAgent)


========== Driver Services (SafeList) ==========

DRV - [2011/08/15 07:07:02 | 000,012,984 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SWDUMon.sys -- (SWDUMon)
DRV - [2011/08/15 07:06:18 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{354233C5-9462-4348-9FDA-ECA358AF1E4F}\MpKsl725edf00.sys -- (MpKsl725edf00)
DRV - [2011/03/20 13:26:46 | 000,053,192 | ---- | M] (Radialpoint Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - [2011/01/13 16:00:54 | 000,159,168 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afcdp.sys -- (afcdp)
DRV - [2011/01/13 16:00:40 | 000,902,432 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm251.sys -- (tdrpman251) Acronis Try&Decide and Restore Points filter (build 251)
DRV - [2011/01/13 16:00:36 | 000,570,016 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2011/01/13 15:59:50 | 000,157,248 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010/01/19 11:06:44 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/01/19 11:06:38 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/11/26 09:50:32 | 000,039,808 | ---- | M] (BitDefender S.R.L.) [Kernel | On_Demand | Running] -- C:\Program Files\Bell\Bell Internet Security Services\BitDefender\trufos.sys -- (Trufos)
DRV - [2009/11/26 09:50:32 | 000,014,720 | ---- | M] (BitDefender S.R.L.) [Kernel | On_Demand | Running] -- C:\Program Files\Bell\Bell Internet Security Services\BitDefender\profos.sys -- (Profos)
DRV - [2009/11/02 15:27:02 | 000,122,376 | ---- | M] (AVG Technologies ) [Kernel | On_Demand | Running] -- C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys -- (RadialpointIDSDriver)
DRV - [2009/11/02 15:27:02 | 000,030,216 | ---- | M] (AVG Technologies ) [Kernel | On_Demand | Running] -- C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys -- (RadialpointIDSFilter)
DRV - [2009/11/02 15:27:02 | 000,025,736 | ---- | M] (AVG Technologies ) [Kernel | On_Demand | Running] -- C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys -- (RadialpointIDSShim)
DRV - [2009/10/23 13:25:54 | 000,285,704 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\bdfsfltr.sys -- (bdfsfltr)
DRV - [2009/08/05 23:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/06/25 17:58:10 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2009/06/25 17:25:58 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2009/06/25 17:10:48 | 000,044,544 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2009/06/08 10:00:56 | 000,071,696 | ---- | M] (Raxco Software, Inc.) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\DefragFs.sys -- (DefragFS)
DRV - [2006/11/21 05:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/05/08 20:10:44 | 000,347,648 | ---- | M] (D-Link Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\A5AGU.sys -- (A5AGU)
DRV - [2006/03/03 16:33:46 | 000,223,128 | ---- | M] (Alcohol Soft Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\vaxscsi.sys -- (vaxscsi)
DRV - [2006/03/03 16:31:33 | 000,642,560 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2006/02/06 21:19:54 | 008,410,880 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\snpstd3.sys -- (SNPSTD3) USB PC Camera (SNPSTD3)
DRV - [2005/11/03 10:40:07 | 000,063,488 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)
DRV - [2005/11/02 21:24:42 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/08/10 10:06:28 | 000,019,968 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)
DRV - [2005/08/10 08:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/07/14 13:14:34 | 000,027,904 | ---- | M] (REDC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\risdptsk.sys -- (risdptsk)
DRV - [2005/06/20 22:27:02 | 000,390,912 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\snpstd.sys -- (snpstd)
DRV - [2005/05/16 09:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2004/07/27 22:08:58 | 000,136,576 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc027.sys -- (SoC PC-Camera Service)
DRV - [2004/02/13 18:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [1999/12/31 20:00:00 | 001,229,949 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [1999/12/31 20:00:00 | 000,988,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [1999/12/31 20:00:00 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [1999/12/31 20:00:00 | 000,209,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.bing.com/ [binary data]
IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/?lang=en-ca
IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@radialpoint.com/SPA,version=1: C:\Program Files\Bell\Internet Service Advisor\nprpspa.dll (Bell)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/02/21 16:30:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2011/02/21 16:31:38 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/08/14 22:01:58 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Date Convertor] C:\Program Files\ZPC\reminder.exe (HOME)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006..\Run: [DriverUpdate] C:\Program Files\DriverUpdate\DriverUpdate.exe (SlimWare Utilities, Inc.)
O4 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe (PC Tools)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} http://beowulf.schulich.yorku.ca/dwa7W.cab (Domino Web Access 7 Control)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP24-10113/webex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/m3/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.164.234.193 207.164.234.129
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O24 - Desktop WallPaper: C:\Documents and Settings\Rouein joon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rouein joon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 15:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/15 08:48:57 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/08/15 08:48:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/15 08:48:53 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/15 08:48:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/08/15 08:42:55 | 009,545,312 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Rouein joon\Desktop\mbam-setup.exe
[2011/08/15 07:07:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/08/14 22:19:27 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/08/14 21:57:17 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/08/14 21:54:35 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/08/14 21:54:35 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/08/14 21:54:35 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/08/14 21:54:35 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/08/14 21:53:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/08/14 21:53:52 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/08/14 21:52:03 | 004,164,813 | R--- | C] (Swearware) -- C:\Documents and Settings\Rouein joon\Desktop\ComboFix.exe
[2011/08/14 18:36:24 | 001,915,904 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Rouein joon\Desktop\aswMBR.exe
[2011/08/13 17:38:05 | 000,139,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2011/08/13 17:37:11 | 000,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[2011/08/08 22:31:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011/08/07 11:01:01 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/08/07 11:01:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rouein joon\Start Menu\Programs\HiJackThis
[2011/08/05 18:14:52 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rouein joon\Recent
[2011/08/05 18:09:15 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/08/05 14:58:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/08/05 13:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\MetaTrader 4- Alpari UK
[2011/08/05 13:51:49 | 000,000,000 | ---D | C] -- C:\Program Files\MetaTrader 4- Alpari UK
[2011/08/04 22:11:59 | 000,988,032 | ---- | C] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\drivers\HSF_DPV.sys
[2011/08/04 22:11:58 | 000,731,136 | ---- | C] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\drivers\HSF_CNXT.sys
[2011/08/04 22:11:58 | 000,212,992 | ---- | C] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\UCI32M19.dll
[2011/08/04 22:11:58 | 000,209,536 | ---- | C] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\drivers\HSFHWAZL.sys
[2011/08/04 10:26:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rouein joon\Application Data\Malwarebytes
[2011/08/04 10:26:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/08/04 10:01:21 | 000,000,000 | ---D | C] -- C:\Program Files\Moozy
[2011/08/04 09:26:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/08/04 06:55:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rouein joon\Local Settings\Application Data\PCHealth
[2011/08/03 14:16:35 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2011/08/03 14:11:56 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/07/23 08:55:39 | 000,000,000 | ---D | C] -- C:\KErfani
[2010/03/01 10:00:44 | 000,061,440 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd.dll
[2010/03/01 10:00:44 | 000,036,864 | ---- | C] ( ) -- C:\WINDOWS\System32\vsnpstd.dll
[2010/03/01 10:00:43 | 000,098,304 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnpstd.dll
[2009/02/21 22:42:39 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Rouein joon\Application Data\pcouffin.sys
[2005/12/23 11:07:16 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\vsnpstd3.dll
[2005/12/23 11:07:15 | 000,147,456 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnpstd3.dll
[2005/12/23 11:07:15 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd3.dll
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[34 C:\Documents and Settings\Rouein joon\Desktop\*.tmp files -> C:\Documents and Settings\Rouein joon\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/15 10:19:00 | 000,000,434 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F4D62BC4-E93C-443E-88E8-6E7935EADD94}.job
[2011/08/15 10:12:14 | 000,579,584 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Desktop\OTL.exe
[2011/08/15 10:12:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/15 08:48:58 | 000,000,791 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/15 08:42:52 | 000,032,441 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/08/15 07:11:18 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/08/15 07:07:02 | 000,012,984 | ---- | M] () -- C:\WINDOWS\System32\drivers\SWDUMon.sys
[2011/08/15 07:06:46 | 000,192,964 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/08/15 07:06:15 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/15 07:06:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/15 07:06:04 | 2145,845,248 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/14 22:54:46 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/08/14 22:01:58 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/08/14 21:57:23 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/08/14 18:32:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/14 17:07:28 | 001,915,904 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Rouein joon\Desktop\aswMBR.exe
[2011/08/13 18:04:02 | 000,486,812 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/08/13 18:04:02 | 000,082,006 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/08/13 18:00:28 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/13 17:14:59 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Rouein joon\defogger_reenable
[2011/08/12 20:19:35 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/08/09 11:55:02 | 000,000,465 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2011/08/09 11:55:01 | 000,000,026 | ---- | M] () -- C:\WINDOWS\BRPP2KA.INI
[2011/08/07 11:02:23 | 000,002,459 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Desktop\HiJackThis.lnk
[2011/08/07 09:31:14 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/08/06 16:30:23 | 000,061,026 | ---- | M] () -- C:\Documents and Settings\Rouein joon\My Documents\cc_20110806_163000.reg
[2011/08/05 22:28:14 | 004,164,813 | R--- | M] (Swearware) -- C:\Documents and Settings\Rouein joon\Desktop\ComboFix.exe
[2011/08/05 20:33:41 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/08/05 18:09:21 | 000,000,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/08/05 14:59:14 | 000,021,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/08/05 13:52:11 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MetaTrader 4 Alpari UK.lnk
[2011/08/05 12:52:29 | 000,002,549 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Desktop\Marketvision plus.lnk
[2011/08/04 14:36:05 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2011/08/04 14:33:06 | 000,000,689 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Application Data\Microsoft\Internet Explorer\Quick Launch\dorNegar.lnk
[2011/08/04 14:32:50 | 000,000,847 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Application Data\Microsoft\Internet Explorer\Quick Launch\OUTLOOK.lnk
[2011/08/04 14:27:47 | 000,096,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sptd7181.sys
[2011/08/04 13:40:14 | 000,000,938 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Desktop\NeroStartSmart.lnk
[2011/08/04 12:39:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/08/04 12:05:32 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Desktop\unhide.exe
[2011/08/04 10:25:06 | 009,545,312 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Rouein joon\Desktop\mbam-setup.exe
[2011/08/04 06:34:25 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/04 00:12:11 | 000,000,392 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
[2011/08/03 23:51:29 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
[2011/08/03 23:51:29 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
[2011/08/03 16:36:23 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Rouein joon\Application Data\Microsoft\Internet Explorer\Quick Launch\My Computer.lnk
[2011/08/03 14:13:29 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/08/02 11:24:49 | 000,041,451 | ---- | M] () -- C:\ETIR_1-Aug-11.pdf
[2011/07/25 11:17:44 | 005,969,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[34 C:\Documents and Settings\Rouein joon\Desktop\*.tmp files -> C:\Documents and Settings\Rouein joon\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/15 10:12:12 | 000,579,584 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Desktop\OTL.exe
[2011/08/15 08:48:58 | 000,000,791 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/14 21:57:23 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/08/14 21:57:19 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/08/14 21:54:35 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/08/14 21:54:35 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/08/14 21:54:35 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/08/14 21:54:35 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/08/14 21:54:35 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/13 17:45:50 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/08/13 17:30:06 | 2145,845,248 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/13 17:14:39 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Rouein joon\defogger_reenable
[2011/08/07 11:01:01 | 000,002,459 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Desktop\HiJackThis.lnk
[2011/08/06 16:30:19 | 000,061,026 | ---- | C] () -- C:\Documents and Settings\Rouein joon\My Documents\cc_20110806_163000.reg
[2011/08/05 18:09:20 | 000,000,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/08/05 14:59:14 | 000,021,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/08/05 13:52:11 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MetaTrader 4 Alpari UK.lnk
[2011/08/04 14:36:05 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2011/08/04 14:33:06 | 000,000,689 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Application Data\Microsoft\Internet Explorer\Quick Launch\dorNegar.lnk
[2011/08/04 14:32:50 | 000,000,847 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Application Data\Microsoft\Internet Explorer\Quick Launch\OUTLOOK.lnk
[2011/08/04 13:37:47 | 000,000,938 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Desktop\NeroStartSmart.lnk
[2011/08/04 12:08:26 | 000,684,297 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Desktop\unhide.exe
[2011/08/03 23:51:29 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
[2011/08/03 23:51:29 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
[2011/08/03 16:36:23 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Application Data\Microsoft\Internet Explorer\Quick Launch\My Computer.lnk
[2011/08/03 14:18:08 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/08/03 14:13:29 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/08/03 13:40:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/08/03 13:16:22 | 000,000,392 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
[2011/08/02 11:24:49 | 000,041,451 | ---- | C] () -- C:\ETIR_1-Aug-11.pdf
[2011/03/20 13:15:47 | 000,012,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\SWDUMon.sys
[2010/10/13 16:01:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
[2010/10/12 14:15:30 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2010/10/12 13:57:36 | 000,000,065 | ---- | C] () -- C:\WINDOWS\System32\bd7030.dat
[2010/10/12 13:54:48 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2010/07/26 09:32:21 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2010/06/25 12:03:25 | 000,000,288 | ---- | C] () -- C:\WINDOWS\dpmvp.INI
[2010/03/01 10:00:44 | 000,390,912 | ---- | C] () -- C:\WINDOWS\System32\drivers\snpstd.sys
[2010/03/01 10:00:44 | 000,015,541 | ---- | C] () -- C:\WINDOWS\snpstd.ini
[2010/03/01 10:00:43 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\dsnpstd.dll
[2010/03/01 10:00:42 | 000,286,720 | ---- | C] () -- C:\WINDOWS\vsnpstd.exe
[2010/02/09 15:54:12 | 000,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2009/10/21 13:20:08 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen_x86.sys
[2009/10/19 19:48:24 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/09/23 23:05:29 | 119,381,280 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/09/23 23:05:29 | 002,837,792 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/02/25 22:33:29 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/21 22:42:39 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Application Data\inst.exe
[2009/02/21 22:42:39 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Application Data\pcouffin.cat
[2009/02/21 22:42:39 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Application Data\pcouffin.inf
[2007/10/27 01:47:01 | 000,266,670 | ---- | C] () -- C:\WINDOWS\ZPC Uninstaller.exe
[2007/02/07 01:58:00 | 000,000,516 | ---- | C] () -- C:\WINDOWS\xxclone.ini
[2006/08/16 00:21:14 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/06/24 20:19:01 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_1435.ini
[2006/06/24 20:18:24 | 000,000,465 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2006/06/24 20:18:24 | 000,000,026 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2006/03/04 15:44:14 | 000,319,488 | R--- | C] () -- C:\WINDOWS\System32\MafiaSetup.exe
[2006/03/04 15:20:43 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/04 13:00:47 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\instlsp.exe
[2006/03/01 20:26:12 | 000,040,960 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/03/01 16:45:08 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Application Data\PFP120JPR.{PB
[2006/03/01 16:45:08 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Application Data\PFP120JCM.{PB
[2006/03/01 12:02:42 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/03/01 11:27:24 | 000,004,704 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/03/01 11:27:24 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\93A1AF8BAD.sys
[2006/03/01 11:17:22 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Rouein joon\Local Settings\Application Data\fusioncache.dat
[2006/02/23 17:30:46 | 000,149,544 | ---- | C] () -- C:\WINDOWS\System32\drivers\ar5523.bin
[2006/02/22 15:58:24 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/02/22 15:50:15 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2006/02/22 15:45:59 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/02/22 15:42:24 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/02/22 15:41:45 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/02/22 15:30:49 | 000,032,441 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2006/02/22 15:19:10 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/02/22 15:19:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/02/22 15:19:00 | 001,657,376 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/02/22 15:19:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/02/22 15:19:00 | 001,346,080 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/02/22 15:19:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/02/22 15:19:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/02/22 15:19:00 | 000,449,056 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/02/22 15:18:58 | 000,436,768 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/02/22 15:18:48 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/02/22 15:18:48 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2006/02/22 15:18:44 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/02/22 15:18:36 | 000,000,491 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/12/23 11:07:19 | 000,339,968 | ---- | C] () -- C:\WINDOWS\vsnpstd3.exe
[2005/12/23 11:07:19 | 000,015,498 | ---- | C] () -- C:\WINDOWS\snpstd3.ini
[2005/12/23 11:07:17 | 008,410,880 | ---- | C] () -- C:\WINDOWS\System32\drivers\snpstd3.sys
[2005/12/23 11:07:15 | 000,020,480 | ---- | C] () -- C:\WINDOWS\usnpstd3.exe
[2005/12/23 10:53:22 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2005/12/20 10:18:38 | 000,136,576 | R--- | C] () -- C:\WINDOWS\System32\drivers\pfc027.sys
[2005/12/17 01:25:36 | 001,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2005/01/28 10:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 15:12:05 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 15:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 15:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 15:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 14:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 14:57:15 | 000,279,744 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 14:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 14:51:20 | 000,486,812 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 14:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 14:51:20 | 000,082,006 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 14:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 14:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 14:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 14:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 14:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 14:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 14:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 14:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/01/08 11:30:22 | 000,011,170 | R--- | C] () -- C:\WINDOWS\System32\PA207Usd.dll
[2003/08/07 08:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Unicode (All) ==========
[2009/09/23 22:55:24 | 000,000,040 | ---- | M] ()(C:\WINDOWS\System32\?????????????????4????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥䉜汥屬敂汬䤠瑮牥敮⁴敓畣楲祴匠牥楶散屳慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g
[2009/09/23 22:55:24 | 000,000,040 | ---- | C] ()(C:\WINDOWS\System32\?????????????????4????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥䉜汥屬敂汬䤠瑮牥敮⁴敓畣楲祴匠牥楶散屳慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >

OTL Extras logfile created on: 8/15/2011 10:15:51 AM - Run 1
OTL by OldTimer - Version 3.2.26.4 Folder = C:\Documents and Settings\Rouein joon\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.80 Gb Available Physical Memory | 40.12% Memory free
3.35 Gb Paging File | 2.25 Gb Available in Paging File | 67.37% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 88.70 Gb Total Space | 41.12 Gb Free Space | 46.36% Space Free | Partition Type: NTFS
Drive E: | 976.13 Mb Total Space | 752.25 Mb Free Space | 77.06% Space Free | Partition Type: FAT

Computer Name: ROUEIN | User Name: Rouein joon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msncall.exe" = C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\FEAR\FEAR.exe" = C:\Program Files\FEAR\FEAR.exe:*:Enabled:FEAR -- (Monolith Productions, Inc.)
"C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe" = C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe:*:Enabled:Nero Home -- (Nero AG)
"C:\Program Files\Bell\Internet Service Advisor\ServicepointService.exe" = C:\Program Files\Bell\Internet Service Advisor\ServicepointService.exe:*:Enabled:Servicepoint Service -- (Radialpoint Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00F93853-D9D3-4795-A89E-84CCBA0205C9}" = Microsoft IntelliPoint 8.0
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F528948-0E80-4C96-B455-DE4167CB1DF7}" = Internal Network Card Power Management
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2B54CED1-1911-4ECF-AA35-D2E14A716A36}" = VideoCAM Eye
"{2B653229-9854-4989-B780-D978F5F13EAB}" = FEAR
"{2B818257-E6C7-4841-8C29-C5C9A982BCE5}" = RICOH Media Driver ver.2.07.01.00
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{34699808-5D74-40E4-AD81-2F07F3313ECE}" = RPS RpsCore
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{39CEE1F2-12B6-4C50-9131-04BFCA110578}" = PowerCinema NE for Everio
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"{3E5CBADD-2E51-47C1-BBE2-B802DB6DA56A}" = MetaTrader 4.00
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4613F39B-AE3E-42D8-840E-190945136EA6}" = DriverUpdate
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{46E1B1F2-A279-4356-9B17-029F9CC72EAE}" = Brother MFL-Pro Suite
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{51B92482-EEB3-47C9-BAB8-D09D75319D25}" = Marketvisionplus
"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{625BD732-ACDF-4552-BF22-98EBB413B6F3}" = McAfee Shredder
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6774F0CF-C7DD-4CB4-BCB2-11C3E08BBA03}" = McAfee Shredder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B738CD9-D107-48C7-8E65-2E6639A39C8D}" = PerfectDisk 10 Professional
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{928B06E4-DDAA-476A-926A-641620326327}" = Microsoft Search Enhancement Pack
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B86C9440-82D7-423C-9FEC-6CB3092D1AA4}" = Bing Bar Platform
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2F1F96A-057E-5819-B52E-FEA1D1D2933B}" = Acronis True Image Home
"{C44365D5-634A-4D55-9B9C-346FF6ED76BE}" = Bell Internet Security Services
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D22D11A0-DF6A-4DE9-B6E2-62A8C5ECCDDE}" = RPS CRT
"{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DD2EA1EE-6CAE-4227-A944-C9F9B43AA950}" = RPS PerfectDiskStub
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E571E8B1-9771-465D-9DE0-3BA2D1BDAE99}" = The Matrix - Path of Neo
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E6BEC86E-DCA9-4510-975F-E2DC68D3E5D7}" = DriverUpdate
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{ECC69E86-3B0E-4010-AA37-414C5D71B7B9}" = RPS CRT
"{ECD03DA7-5952-406A-8156-5F0C93618D1F}" = Dynex Webcam
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F17F7703-1E72-40C1-A0DD-E5B365661033}" = Nero 7 Essentials
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"BellCanada" = Bell Internet Check-up
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"doPDF 7 printer_is1" = doPDF 7.1 printer
"dorNegar" = dorNegar Dictionary Version 1.00
"Free CD Ripper_is1" = Free CD Ripper 3.1
"Google Desktop" = Google Desktop
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InfraRecorder" = InfraRecorder
"InstallShield_{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}" = CyberLink PhotoNow
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"RadialpointClientGateway_is1" = Bell Internet Service Advisor 3.7.44
"Registry Mechanic_is1" = Registry Mechanic 8.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Tweak UI 2.10" = Tweak UI
"Vault" = Personal Vault Manager
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XXClone" = XXClone ver 0.58.0
"ZPC" = ZPC (Zoroastrian & Persian Calendar)

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3882638093-4198672817-1851768424-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.5.0.457

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/14/2011 6:32:59 PM | Computer Name = ROUEIN | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: Received from 192.168.1.101:1055 20 Rp\.SpaEndpointV1._rp-hsd._tcp.local.
SRV 0 0 8965 Family.local.

Error - 8/14/2011 6:32:59 PM | Computer Name = ROUEIN | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: ProbeCount 2; will rename 20 Rp\.SpaEndpointV1._rp-hsd._tcp.local.
SRV 0 0 8965 Rouein.local.

Error - 8/14/2011 6:34:10 PM | Computer Name = ROUEIN | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown

Error - 8/14/2011 6:47:45 PM | Computer Name = ROUEIN | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: Ignoring response received before we even
began probing: 20 Rp\.SpaEndpointV1._rp-hsd._tcp.local. SRV 0 0 8965 Rouein.local.

Error - 8/14/2011 6:47:45 PM | Computer Name = ROUEIN | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: Received from 192.168.1.101:1055 20 Rp\.SpaEndpointV1._rp-hsd._tcp.local.
SRV 0 0 8965 Family.local.

Error - 8/14/2011 6:47:45 PM | Computer Name = ROUEIN | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: ProbeCount 2; will rename 20 Rp\.SpaEndpointV1._rp-hsd._tcp.local.
SRV 0 0 8965 Rouein.local.

Error - 8/14/2011 9:45:05 PM | Computer Name = ROUEIN | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: Received from 192.168.1.101:1055 20 Rp\.SpaEndpointV1._rp-hsd._tcp.local.
SRV 0 0 8965 Family.local.

Error - 8/14/2011 9:45:05 PM | Computer Name = ROUEIN | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: ProbeCount 2; will rename 20 Rp\.SpaEndpointV1._rp-hsd._tcp.local.
SRV 0 0 8965 Rouein.local.

Error - 8/14/2011 10:10:01 PM | Computer Name = ROUEIN | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: Received from 192.168.1.101:1055 20 Rp\.SpaEndpointV1._rp-hsd._tcp.local.
SRV 0 0 8965 Family.local.

Error - 8/14/2011 10:10:01 PM | Computer Name = ROUEIN | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: ProbeCount 2; will rename 20 Rp\.SpaEndpointV1._rp-hsd._tcp.local.
SRV 0 0 8965 Rouein.local.

[ System Events ]
Error - 8/14/2011 9:45:05 PM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7000
Description = The ANIO Service service failed to start due to the following error:
%%2

Error - 8/14/2011 9:45:09 PM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RadialpointIDSEH StarOpen

Error - 8/14/2011 9:59:19 PM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7034
Description = The Dell Wireless WLAN Tray Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/14/2011 10:10:01 PM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7000
Description = The ANIO Service service failed to start due to the following error:
%%2

Error - 8/14/2011 10:10:01 PM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 8/14/2011 10:10:04 PM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RadialpointIDSEH StarOpen

Error - 8/14/2011 10:55:42 PM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 8/15/2011 7:06:29 AM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7000
Description = The ANIO Service service failed to start due to the following error:
%%2

Error - 8/15/2011 7:06:29 AM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 8/15/2011 7:06:31 AM | Computer Name = ROUEIN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RadialpointIDSEH StarOpen


< End of report >

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:01 PM

Posted 15 August 2011 - 10:17 AM

Go ahead and uninstall it. You can always download it again later.
Shannon

#12 Rouein

Rouein
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 15 August 2011 - 10:28 AM

I will uninstall it.
Based on latest reports, do you think my system is now free from any infection? Or you need to do more investigation(s).

Thanks
Rouein

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:01 PM

Posted 15 August 2011 - 11:27 AM

Hi-

We have a little clean up to do and need to run an online scan just to make sure we have it all.

We need to run an OTL Fix.
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
:OTL
IE - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-3882638093-4198672817-1851768424-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
:commands
[emptytemp]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

Next, I'd like for you to scan your machine with ESET OnlineScan
  • Hold down Control key and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip the next two steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

In your reply, please copy in the OTL Fix report and the ESET OnlineScan report.
Shannon

#14 Rouein

Rouein
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 15 August 2011 - 01:33 PM

Hi,
I uninstall the Microsoft security and my system has only 1 security program.
I ran OTL program and below you will find the report.
ESET online scan didn't complete its download/update and stopped at step 2 (initialization).
The error was: Can't get update, is proxy configured?

Please advise.

Thanks
Rouein

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3882638093-4198672817-1851768424-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_USERS\S-1-5-21-3882638093-4198672817-1851768424-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-3882638093-4198672817-1851768424-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-3882638093-4198672817-1851768424-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_USERS\S-1-5-21-3882638093-4198672817-1851768424-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bijan

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 10691580 bytes
->Flash cache emptied: 56502 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 426118 bytes
->Flash cache emptied: 401 bytes

User: NetworkService
->Temp folder emptied: 8938 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Rouein joon
->Temp folder emptied: 3631903 bytes
->Temporary Internet Files folder emptied: 27079541 bytes
->Java cache emptied: 9246606 bytes
->Flash cache emptied: 3218 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 126432 bytes
%systemroot%\System32 .tmp files removed: 3432977 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11472 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 52.00 mb


OTL by OldTimer - Version 3.2.26.4 log created on 08152011_134421

Files\Folders moved on Reboot...
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\QMDXHZ07\resourcespreload[1].htm moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\QMDXHZ07\resourcespreload[3].htm moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\QMDXHZ07\WebIMPop[1].htm moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\QMDXHZ07\xmlProxy[3].htm moved successfully.
File\Folder C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\HYY600H9\ca_msn_com[2].htm not found!
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\HYY600H9\EditMessageLight[3].htm moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\HYY600H9\RteFrame_16.0.1770.0804[1].htm moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\25991GQC\default[1].htm moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\25991GQC\LocalStorage[1].htm moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\25991GQC\Messenger[1].htm moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\25991GQC\topic413744[1].html moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\Content.IE5\25991GQC\xmlProxy[1].htm moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\Rouein joon\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...

#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:01 PM

Posted 15 August 2011 - 05:06 PM

For ESET-

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Click the Connections tab and then click the LAN settings button.

If "Use a proxy for ...." is checked, uncheck it and click OK and OK to exit.

Try it again.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users