Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit Virus that won't let me open exe files


  • This topic is locked This topic is locked
34 replies to this topic

#1 raven123

raven123

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 22 August 2011 - 05:33 PM

Hi, I have picked up a rootkit virus that I don't know how to remove. I did get the DDS log but when I tried to get the log from gmer, the program shut down while scanning. When I try to open certain programs on my computer I get the message that "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the file." I tried to load Malwarebytes from safemode (I already had it on my computer) but it shut down after about 5 seconds. Can you help please and thanks.

Forgot to add that when I try to click on a link in Google, I am taken to different affiliate sites using either IE or FF.

In addition, I have tried the tdsskiller but when I press scan, the program shuts down.

I even tried RootRepeal but same thing happens. I can get programs installed but they won't run.

Attached Files

  • Attached File  dds.txt   17.83KB   11 downloads

Edited by raven123, 22 August 2011 - 08:54 PM.


BC AdBot (Login to Remove)

 


#2 raven123

raven123
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 23 August 2011 - 08:32 AM

Is there something else I need to do to get help with my issue? Really looking forward to getting rid of this thing. I have tried everything suggested on the site but the rootkit shuts down every program before it can run. Please help. Thanks.

#3 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:03 PM

Posted 27 August 2011 - 09:54 AM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the RKU log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#4 raven123

raven123
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 27 August 2011 - 11:18 AM

Hi Shannon. Thank you for taking the time to help me. The only extra info I can provide is that I have tried TDSSkiller and Kaspersky's rescue disk and although both programs found the zaccess rootkit, every time I reboot it comes back. I still am unable to run malwarebytes. One other thing, ever since I got the virus I have been unable to enable my virus protection. I have tried everything to re-start the service but it won't start. Here are the logs you asked for.

OTL Extras logfile created on: 27/08/2011 12:00:22 PM - Run 1
OTL by OldTimer - Version 3.2.26.6 Folder = C:\Documents and Settings\Glen Bottrel\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1023.49 Mb Total Physical Memory | 611.75 Mb Available Physical Memory | 59.77% Memory free
2.41 Gb Paging File | 2.12 Gb Available in Paging File | 88.30% Paging File free
Paging file location(s): C:\pagefile.sys 1534 1534 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.91 Gb Total Space | 30.35 Gb Free Space | 54.28% Space Free | Partition Type: NTFS

Computer Name: DAR-4NWAL0LFUC | User Name: Glen Bottrel | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\ICQ\Icq.exe" = C:\Program Files\ICQ\Icq.exe:*:Enabled:ICQ -- (ICQ Inc.)
"C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeEnC2.exe" = C:\Program Files\Microsoft LifeCam\LifeEnC2.exe:*:Enabled:LifeEnC2.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeTray.exe" = C:\Program Files\Microsoft LifeCam\LifeTray.exe:*:Enabled:LifeTray.exe -- (Microsoft Corporation)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\PhraseExpress\PhraseExpress.exe" = C:\Program Files\PhraseExpress\PhraseExpress.exe:*:Enabled:PhraseExpress -- (Bartels Media GmbH)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire
"C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer -- (LimeWire)
"C:\Program Files\Warcraft III\Warcraft III.exe" = C:\Program Files\Warcraft III\Warcraft III.exe:*:Disabled:Warcraft III
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- ()
"C:\Documents and Settings\Glen Bottrel\Desktop\tdsskiller.exe" = C:\Documents and Settings\Glen Bottrel\Desktop\tdsskiller.exe:*:Enabled:TDSS rootkit removing tool -- ()
"C:\Documents and Settings\Glen Bottrel\Desktop\TDSSKiller\TDSSKiller.exe" = C:\Documents and Settings\Glen Bottrel\Desktop\TDSSKiller\TDSSKiller.exe:*:Enabled:TDSS rootkit removing tool -- ()
"C:\Program Files\Intuit\QuickBooks Premier\QBW32.EXE" = C:\Program Files\Intuit\QuickBooks Premier\QBW32.EXE:*:Enabled:QuickBooks -- (Intuit, Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe:*:Enabled:QuickBooks Automatic Update -- (Intuit Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe" = C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe:*:Enabled:Trend Micro RUBotted tool
"C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat.exe" = C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat.exe:*:Enabled:Adobe Acrobat -- (Adobe Systems Incorporated)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01BDFB08-EE88-4E5E-94A6-AE9EDCFA40C5}" = Microsoft IntelliPoint 4.0
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 20
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
"{3248F0A8-6813-11D6-A77B-00B0D0150080}" = J2SE Runtime Environment 5.0 Update 8
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{32A885F0-590E-49D3-A351-32C0FDA8DE5D}" = StudioTax 2007
"{334E2386-DF81-44b6-A2E2-D15B81162929}" = QuickBooks Premier Edition 2007
"{34E95EA8-EEED-469A-A5C6-4BCFE33CA1B7}" = StudioTax 2008
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B855358-77BC-482A-BA00-C4068ECF9177}" = Talking Alarm Clock
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{60C15072-F33A-4140-9A59-5C06EA986715}" = StudioTax 2006
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BCB7EAA-598C-4836-B7EA-3642E41AA222}" = Microsoft LifeCam
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7A8FF745-BBC5-482B-88E4-18D3178249A9}" = ScanSoft PaperPort 11
"{7B08D306-7266-4647-A926-2F78817ED1E0}" = Microsoft Corporation
"{7F6ECB74-632B-4222-AF7F-3553D86E4B45}" = StudioTax 2005
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{92BF38A8-5616-4209-87A3-D910B45A1D98}" = Homescan Internet Transporter
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{959B7040-8448-4705-B951-BDB603CF69A0}_is1" = PDF Converter 2.0
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D1C26BD-E792-4159-9D16-07EA222D8EF0}" = Windows Messenger 5.1
"{9D782EC1-98B7-4EE3-979D-66CAD9DF9D31}" = StudioTax 2009
"{9EC2D2B3-7531-4404-8523-285A0607A78F}" = StudioTax 2010
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC015C45-1667-40A4-A126-966EE5629062}" = Quicken 2010
"{AC76BA86-1033-F400-7760-000000000005}" = Adobe Acrobat X Pro - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.5
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D9461574-5FC0-4641-BBDC-D1038B196F55}" = Brother MFL-Pro Suite MFC-490CW
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F4588301-0A06-11D6-A761-00B0D079AF64}" = Java 2 Runtime Environment, SE v1.4.0
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Avance AC'97 Audio
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Arctic Quest" = Arctic Quest
"Around the World in 80 Days_is1" = Around the World in 80 Days 1.0
"Atlantis Quest_is1" = Atlantis Quest 1.0
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Bullzip PDF Printer_is1" = Bullzip PDF Printer 6.0.0.865
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CoreFTP" = Core FTP LE
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"Folderico" = Folderico 3.7.2
"Foxonic Professional 3.2 (build 0019)_is1" = Foxonic Professional 3.2 (build 0019)
"FTDICOMM" = FTDI USB Serial Converter Drivers
"GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.70
"Hallmark Card Studio" = Hallmark Card Studio
"HijackThis" = HijackThis 1.99.1
"ICQ" = ICQ
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Image Mender" = Image Mender 1.1
"IrfanView" = IrfanView (remove only)
"Java Web Start" = Java Web Start
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Master Of Defense_is1" = Master Of Defense 1.67e
"Matrox Graphics Uninstaller" = Matrox Graphics Software (remove only)
"mIRC" = mIRC
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Netscape Communicator 4.79" = Netscape Communicator 4.79
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PaRaMeter_is1" = PaRaMeter 1.3
"pdfsam" = pdfsam
"PhraseExpress_is1" = PhraseExpress v7.0.158
"RealPlayer 6.0" = RealPlayer
"The Rise of Atlantis_is1" = The Rise of Atlantis 1.0
"TNT Screen Capture (Free version for GiveAwayOfT~CFCC0AE8_is1" = EC Software TNT Screen Capture 2.1
"VideoGet_is1" = VideoGet
"Vitalize!" = Vitalize!
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinPcapInst" = WinPcap 4.1.1
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-329068152-1993962763-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 04/08/2011 12:14:41 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 04/08/2011 12:14:41 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 04/08/2011 12:14:43 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 04/08/2011 12:14:43 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 04/08/2011 12:14:43 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 04/08/2011 12:14:43 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 04/08/2011 12:14:44 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 04/08/2011 12:14:44 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 04/08/2011 12:14:44 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 04/08/2011 12:14:44 PM | Computer Name = DAR-4NWAL0LFUC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 26/08/2011 7:52:00 PM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299

Error - 26/08/2011 8:02:27 PM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299

Error - 26/08/2011 8:35:06 PM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299

Error - 26/08/2011 8:42:28 PM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299

Error - 27/08/2011 7:00:00 AM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299

Error - 27/08/2011 9:22:12 AM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299

Error - 27/08/2011 11:05:00 AM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299

Error - 27/08/2011 11:50:38 AM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299

Error - 27/08/2011 12:00:00 PM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299

Error - 27/08/2011 12:00:14 PM | Computer Name = DAR-4NWAL0LFUC | Source = Service Control Manager | ID = 7000
Description = The Talking Alarm Clock user logon monitor service failed to start
due to the following error: %%299


< End of report >
--------
OTL logfile created on: 27/08/2011 12:00:22 PM - Run 1
OTL by OldTimer - Version 3.2.26.6 Folder = C:\Documents and Settings\Glen Bottrel\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1023.49 Mb Total Physical Memory | 611.75 Mb Available Physical Memory | 59.77% Memory free
2.41 Gb Paging File | 2.12 Gb Available in Paging File | 88.30% Paging File free
Paging file location(s): C:\pagefile.sys 1534 1534 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.91 Gb Total Space | 30.35 Gb Free Space | 54.28% Space Free | Partition Type: NTFS

Computer Name: DAR-4NWAL0LFUC | User Name: Glen Bottrel | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\2394369093:3134408817.exe
PRC - [2011/08/27 11:59:05 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Glen Bottrel\Desktop\OTL.exe
PRC - [2011/06/06 15:55:32 | 002,903,448 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
PRC - [2010/11/04 13:15:48 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/05/17 05:26:00 | 000,811,008 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2006/05/11 14:30:42 | 002,064,384 | ---- | M] (ACNielsen) -- C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
PRC - [2006/03/02 11:32:58 | 000,684,032 | ---- | M] (Matrox Graphics Inc.) -- C:\WINDOWS\system32\PDesk\pdesk.exe
PRC - [2004/09/15 15:24:34 | 000,254,384 | ---- | M] (Cinnamon Software Inc.) -- C:\Program Files\Alarm\Alarm Tray.exe
PRC - [2001/05/29 05:02:08 | 000,124,416 | R--- | M] (Avance Logic, Inc.) -- C:\WINDOWS\soundman.exe


========== Modules (No Company Name) ==========

MOD - [2010/04/12 17:29:22 | 000,108,320 | ---- | M] () -- C:\Program Files\Java\jre6\bin\jp2iexp.dll
MOD - [2010/04/12 17:28:59 | 000,008,192 | ---- | M] () -- C:\Program Files\Java\jre6\bin\jp2native.dll
MOD - [2008/06/20 12:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2004/07/19 12:06:58 | 000,520,192 | ---- | M] () -- C:\Program Files\ACNielsen\Homescan Internet Transporter\c4dll.dll
MOD - [2003/07/30 13:39:54 | 000,145,120 | ---- | M] () -- C:\WINDOWS\Downloaded Program Files\ymmapi.dll
MOD - [2003/05/28 07:55:30 | 000,155,648 | ---- | M] () -- C:\Program Files\ACNielsen\Homescan Internet Transporter\ssleay32.dll
MOD - [2003/05/28 07:55:28 | 000,684,032 | ---- | M] () -- C:\Program Files\ACNielsen\Homescan Internet Transporter\libeay32.dll
MOD - [2002/09/12 08:29:46 | 000,057,344 | ---- | M] () -- C:\Program Files\ACNielsen\Homescan Internet Transporter\zlib.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/08/26 04:58:00 | 000,081,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\mgabg.exe -- (MGABGEXE)
SRV - [2011/08/26 04:56:54 | 000,155,648 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2011/08/26 04:56:41 | 000,130,560 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/08/26 04:56:34 | 000,241,664 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Alarm\AlarmMonitor.exe -- (AlarmClockMonitor)
SRV - [2011/06/29 03:13:42 | 000,269,480 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/10/20 14:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)


========== Driver Services (SafeList) ==========

DRV - [2011/08/26 09:58:13 | 000,456,320 | ---- | M] () [File_System | System | Running] -- C:\WINDOWS\System32\drivers\tsk18.tmp -- (MRxSmb)
DRV - [2011/08/22 13:31:55 | 000,035,712 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\BlackBox.sys -- (BlackBox)
DRV - [2011/07/08 07:55:36 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | Disabled | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/06/29 03:13:45 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/29 03:13:45 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/10/20 14:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/12/13 14:47:38 | 000,129,896 | ---- | M] (Paragon) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Uim_IM.sys -- (Uim_IM)
DRV - [2008/12/13 14:47:38 | 000,032,056 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\UimBus.sys -- (UimBus)
DRV - [2008/08/04 16:22:20 | 001,964,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX3000.sys -- (VX3000)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2006/02/27 15:32:14 | 000,350,080 | ---- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\g400dhm.sys -- (G400DH)
DRV - [2005/12/19 16:02:36 | 000,060,572 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2005/12/19 16:02:36 | 000,028,449 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2005/09/19 13:23:10 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2005/09/19 13:23:10 | 000,144,250 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2K)
DRV - [2005/09/19 13:23:10 | 000,030,662 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2005/09/19 13:23:10 | 000,025,930 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2005/09/19 13:23:08 | 000,062,288 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2005/09/19 13:23:08 | 000,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2001/12/16 21:27:06 | 000,265,143 | R--- | M] (Avance Logic, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Avance AC97 Audio (WDM)
DRV - [2001/10/05 18:30:34 | 000,036,096 | ---- | M] (ADMtek Incorporated.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\an983.sys -- (AN983)
DRV - [2001/08/23 00:33:12 | 000,010,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2001/08/17 15:06:20 | 000,100,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Icam5USB.sys -- (ICAM5USB) Intel®
DRV - [2001/08/17 10:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 08:50:18 | 000,198,144 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv3.sys -- (nv3)
DRV - [2000/04/17 19:32:38 | 000,005,533 | R--- | M] (Matrox Graphics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\utilnt.sys -- (UtilNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-329068152-1993962763-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE - HKU\S-1-5-21-329068152-1993962763-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
IE - HKU\S-1-5-21-329068152-1993962763-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-329068152-1993962763-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-329068152-1993962763-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gimpsy.com/
IE - HKU\S-1-5-21-329068152-1993962763-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.gimpsy.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2027: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2088: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1040: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Documents and Settings\Glen Bottrel\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011/07/26 14:02:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/08 12:23:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/24 18:56:52 | 000,000,000 | ---D | M]

[2009/02/19 23:27:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Glen Bottrel\Application Data\Mozilla\Extensions
[2010/03/23 15:07:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Glen Bottrel\Application Data\Mozilla\Firefox\Profiles\r1uapznt.default\extensions
[2011/08/27 09:32:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/05 17:06:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/03/18 14:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/18 14:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2008/08/07 09:03:15 | 000,000,734 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-329068152-1993962763-1060284298-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe ()
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe (Matrox Graphics Inc.)
O4 - HKLM..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe (ACNielsen)
O4 - HKLM..\Run: [POINTER] File not found
O4 - HKLM..\Run: [Show missed alarms] C:\Program Files\Alarm\Alarm.exe (Cinnamon Software Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Avance Logic, Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-329068152-1993962763-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\Program Files\Nuclear Coffee\VideoGet\Plugins\VideoGet_IE.dll (Nuclear Coffee Software)
O9 - Extra 'Tools' menuitem : Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\Program Files\Nuclear Coffee\VideoGet\Plugins\VideoGet_IE.dll (Nuclear Coffee Software)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/betapit/PCPitStop.CAB (Reg Error: Key error.)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc.cab (Office Update Installation Engine)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} http://office.microsoft.com/productupdates/content/opuc.cab (OPUCatalog Class)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/FacebookPhotoUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {916C95B3-55DA-43F7-A88F-32D37770306A} http://www.rogershelp.com/ocf/prjOCFTools.CAB (prjOCFTools.OCFTools)
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} http://download.yahoo.com/dl/mail/ymmapi.cab (YahooYMailTo Class)
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB (GDIChk Object)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} http://chat.msn.com/controls/msnchat45.cab (MSN Chat Control 4.5)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.71.255.198
O18 - Protocol\Handler\intu-res {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Glen Bottrel\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/07/15 17:52:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\start.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/27 11:59:04 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Glen Bottrel\Desktop\OTL.exe
[2011/08/26 09:09:41 | 009,545,312 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Glen Bottrel\Desktop\mbam-setup.exe
[2011/08/26 04:51:13 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2011/08/25 13:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
[2011/08/25 13:56:58 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/08/23 21:24:21 | 000,000,000 | ---D | C] -- C:\TK_Quarantine
[2011/08/23 11:16:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Glen Bottrel\Desktop\TDSSKiller
[2011/08/23 09:48:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Glen Bottrel\Recent
[2011/08/22 22:31:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Glen Bottrel\Start Menu\Programs\HiJackThis
[2011/08/09 22:14:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Glen Bottrel\Start Menu\Programs\Convar
[2011/08/09 22:14:23 | 000,000,000 | ---D | C] -- C:\Program Files\Convar
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\Documents and Settings\Glen Bottrel\*.tmp files -> C:\Documents and Settings\Glen Bottrel\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/27 12:00:14 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\Transmit scanner.job
[2011/08/27 11:59:05 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Glen Bottrel\Desktop\OTL.exe
[2011/08/27 11:34:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/27 09:22:13 | 000,000,850 | ---- | M] () -- C:\WINDOWS\tasks\check living well.job
[2011/08/27 09:22:00 | 000,000,842 | ---- | M] () -- C:\WINDOWS\tasks\The snowwager.job
[2011/08/26 19:34:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/26 18:24:34 | 000,000,828 | ---- | M] () -- C:\WINDOWS\tasks\Snowager.job
[2011/08/26 13:14:15 | 020,574,208 | ---- | M] () -- C:\DrGayleKumchy.QBW
[2011/08/26 12:04:09 | 000,026,225 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Desktop\Aug Deposits Toronto PAge 2.pdf
[2011/08/26 11:23:58 | 000,000,964 | ---- | M] () -- C:\WINDOWS\tasks\Send Schedule to Gayle.job
[2011/08/26 09:58:13 | 000,085,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\78854903.sys
[2011/08/26 09:09:46 | 009,545,312 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Glen Bottrel\Desktop\mbam-setup.exe
[2011/08/26 09:08:05 | 000,012,676 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/26 09:07:23 | 000,000,000 | ---- | M] () -- C:\WINDOWS\2394369093
[2011/08/26 09:07:05 | 000,043,408 | -HS- | M] () -- C:\WINDOWS\System32\c_27980.nl_
[2011/08/26 09:06:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/26 04:58:00 | 000,081,920 | ---- | M] () -- C:\WINDOWS\System32\mgabg.exe
[2011/08/25 16:28:47 | 000,002,608 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Local Settings\Application Data\d3d9caps.dat
[2011/08/25 15:59:07 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\Log into Ripway to save images.job
[2011/08/25 13:57:02 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2011/08/24 12:00:06 | 000,000,848 | ---- | M] () -- C:\WINDOWS\tasks\Ask Gayle for QB.job
[2011/08/22 21:23:00 | 001,405,744 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Desktop\tdsskiller.exe
[2011/08/22 20:04:57 | 001,405,744 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Desktop\tryingagain.com
[2011/08/22 20:00:43 | 001,405,744 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Desktop\123.com
[2011/08/22 19:58:10 | 000,000,854 | ---- | M] () -- C:\WINDOWS\tasks\Ability Online Chat.job
[2011/08/22 13:31:55 | 000,035,712 | ---- | M] () -- C:\WINDOWS\System32\drivers\BlackBox.sys
[2011/08/22 13:30:19 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Desktop\RKUnhookerLE.EXE
[2011/08/21 19:00:05 | 000,000,902 | ---- | M] () -- C:\WINDOWS\tasks\Cat Of the Week.job
[2011/08/21 18:45:01 | 000,002,006 | ---- | M] () -- C:\WINDOWS\tasks\COTW.job
[2011/08/21 10:06:56 | 026,067,354 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Desktop\Pawlooza.zip
[2011/08/19 15:44:05 | 000,074,690 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Desktop\Fisher School 110819.pdf
[2011/08/14 13:18:36 | 004,785,811 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Desktop\Outside.zip
[2011/08/12 12:08:14 | 000,000,904 | ---- | M] () -- C:\WINDOWS\tasks\Sue and Daves Anniversay Aug 12 (24th maybe).job
[2011/08/10 17:17:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/09 16:23:39 | 000,000,872 | -H-- | M] () -- C:\WINDOWS\tasks\Telus due Sept 4 - Add money.job
[2011/08/09 15:41:26 | 000,151,552 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/06 10:31:10 | 000,000,852 | ---- | M] () -- C:\WINDOWS\tasks\Sally's Bday Aug 6.job
[2011/08/05 20:06:27 | 000,001,970 | ---- | M] () -- C:\WINDOWS\tasks\Pay ISP Bill.job
[2011/08/04 09:55:01 | 003,173,987 | ---- | M] () -- C:\Documents and Settings\Glen Bottrel\Desktop\summer pics.zip
[2011/08/03 09:27:51 | 000,000,866 | ---- | M] () -- C:\WINDOWS\tasks\half price day at neopets.job
[2011/08/01 14:46:00 | 000,042,864 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2011/08/01 14:45:59 | 000,000,151 | ---- | M] () -- C:\liprefs.js
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\Documents and Settings\Glen Bottrel\*.tmp files -> C:\Documents and Settings\Glen Bottrel\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/26 12:04:09 | 000,026,225 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Desktop\Aug Deposits Toronto PAge 2.pdf
[2011/08/26 09:58:13 | 000,085,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\78854903.sys
[2011/08/25 13:57:01 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2011/08/23 11:24:03 | 000,043,408 | -HS- | C] () -- C:\WINDOWS\System32\c_27980.nl_
[2011/08/22 21:22:59 | 001,405,744 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Desktop\tdsskiller.exe
[2011/08/22 20:04:55 | 001,405,744 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Desktop\tryingagain.com
[2011/08/22 20:00:42 | 001,405,744 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Desktop\123.com
[2011/08/22 13:31:55 | 000,035,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\BlackBox.sys
[2011/08/22 13:30:19 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Desktop\RKUnhookerLE.EXE
[2011/08/22 12:30:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\2394369093
[2011/08/21 10:06:12 | 026,067,354 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Desktop\Pawlooza.zip
[2011/08/19 15:44:05 | 000,074,690 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Desktop\Fisher School 110819.pdf
[2011/08/14 10:14:18 | 004,785,811 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Desktop\Outside.zip
[2011/08/09 16:23:38 | 000,000,872 | -H-- | C] () -- C:\WINDOWS\tasks\Telus due Sept 4 - Add money.job
[2011/08/04 09:54:57 | 003,173,987 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Desktop\summer pics.zip
[2011/07/27 11:27:47 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
[2011/07/27 11:27:46 | 000,000,224 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
[2011/07/27 11:27:30 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
[2011/03/08 13:03:28 | 000,000,143 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2010/11/14 21:41:16 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Local Settings\Application Data\housecall.guid.cache
[2010/07/08 21:13:29 | 000,002,608 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Local Settings\Application Data\d3d9caps.dat
[2010/05/15 15:49:35 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\virport.dll
[2010/03/13 12:03:17 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2009/10/20 14:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/05/08 22:48:53 | 000,550,344 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/04/06 23:16:32 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2009/04/06 20:58:17 | 000,000,000 | ---- | C] () -- C:\Program Files\wcnav.xml
[2009/02/28 18:18:56 | 000,000,242 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/02/28 18:18:56 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/02/28 18:18:31 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/02/28 18:18:31 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/02/28 18:11:28 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf08b.dat
[2009/02/28 18:11:16 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/02/28 18:11:16 | 000,000,086 | ---- | C] () -- C:\WINDOWS\Brfaxrx.ini
[2009/02/28 18:11:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
[2009/02/28 18:08:39 | 000,031,567 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/02/11 14:24:58 | 000,000,195 | ---- | C] () -- C:\WINDOWS\WinHelp.ini
[2008/08/02 20:43:24 | 000,075,384 | ---- | C] () -- C:\WINDOWS\TrueInstall.exe
[2008/05/23 12:50:37 | 000,086,082 | ---- | C] () -- C:\WINDOWS\System32\ftdiunin.exe
[2008/05/23 12:50:37 | 000,000,110 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2008/03/16 15:23:41 | 000,020,992 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2008/03/06 19:22:53 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\LPng.dll
[2008/01/11 00:09:42 | 000,000,025 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Application Data\tcw_config.cfg
[2007/12/24 09:52:48 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\mgabg.exe
[2007/11/09 23:38:01 | 000,069,632 | ---- | C] () -- C:\WINDOWS\UNINSTCC.EXE
[2007/09/17 11:48:44 | 000,002,496 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2007/05/19 14:09:18 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2007/02/23 11:55:39 | 000,002,922 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/04/21 12:53:16 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2006/02/23 21:39:26 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Local Settings\Application Data\fusioncache.dat
[2006/02/07 20:08:11 | 000,000,305 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\addr_file.html
[2005/03/04 23:43:00 | 000,000,021 | ---- | C] () -- C:\Program Files\AVPersonalAVWIN.INI
[2005/02/20 19:19:33 | 000,000,072 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2005/02/20 19:19:33 | 000,000,020 | ---- | C] () -- C:\WINDOWS\akebook.ini
[2005/02/20 19:19:33 | 000,000,004 | ---- | C] () -- C:\WINDOWS\a3kebook.ini
[2004/10/01 14:54:10 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/04/29 23:08:36 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/02/17 20:28:49 | 000,000,018 | ---- | C] () -- C:\WINDOWS\gfact.ini
[2003/10/28 20:11:30 | 000,071,749 | ---- | C] () -- C:\WINDOWS\HCExtOutput.dll
[2003/10/28 20:11:30 | 000,000,823 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2003/10/28 20:11:08 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2003/10/17 19:44:35 | 000,000,165 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2003/08/09 14:36:25 | 000,000,269 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2003/05/13 12:27:10 | 001,123,840 | ---- | C] () -- C:\WINDOWS\System32\quartz(3).dll
[2003/05/13 12:27:10 | 001,123,840 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2003/05/12 22:57:53 | 000,151,552 | ---- | C] () -- C:\Documents and Settings\Glen Bottrel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/04/10 23:09:29 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2003/03/08 18:51:57 | 000,000,140 | ---- | C] () -- C:\WINDOWS\TAXWIZ.INI
[2003/03/01 18:56:46 | 000,007,189 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2002/11/26 03:59:59 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\BGData.bin
[2002/11/01 17:17:50 | 000,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
[2002/09/01 16:50:28 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2002/09/01 16:50:28 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2002/09/01 16:50:26 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\gif89.dll
[2002/09/01 16:50:12 | 000,000,386 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2002/07/26 21:46:10 | 000,051,022 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2002/07/22 21:47:59 | 000,000,121 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2002/07/21 20:10:29 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/07/21 18:44:48 | 000,041,047 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
[2002/07/21 13:39:37 | 000,000,224 | ---- | C] () -- C:\WINDOWS\netscape.INI
[2002/07/21 13:25:54 | 000,042,864 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2002/07/21 13:25:47 | 000,634,087 | ---- | C] () -- C:\WINDOWS\cd32.exe
[2002/07/19 14:21:05 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\bcmrmv.exe
[2002/07/19 14:21:05 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\instdrv.dll
[2002/07/17 15:46:27 | 000,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2002/07/15 17:55:07 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2002/07/15 17:50:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/07/15 13:41:43 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/07/15 13:40:49 | 000,294,072 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/07/09 11:49:25 | 000,286,208 | ---- | C] () -- C:\WINDOWS\System32\cncs232.dll
[2002/07/04 16:05:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
[2002/03/14 13:00:26 | 000,038,567 | ---- | C] () -- C:\WINDOWS\System32\pcpbios.exe
[2001/12/14 14:34:46 | 000,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2001/08/18 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/18 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 08:00:00 | 000,507,826 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 08:00:00 | 000,091,744 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/08/10 13:14:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ImapiRoxPS.dll
[1999/07/23 14:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 11:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1998/08/16 06:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\2394369093:3134408817.exe

< End of report >
-------

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\G400DHD.dll 2400256 bytes (Matrox Graphics Inc., Matrox G400DH Display Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7382000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF01D2000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF66E4000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF02B7000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEB047000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF685D000 C:\WINDOWS\system32\DRIVERS\g400dhm.sys 352256 bytes (Matrox Graphics Inc., Matrox G400DH Miniport Driver)
0xBF25C000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xEDDCE000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF67A2000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 262144 bytes (Avance Logic, Inc., Avance AC'97 Audio Driver (WDM))
0xF0335000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 208896 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)
0xF6695000 C:\WINDOWS\System32\Drivers\UimFIO.SYS 200704 bytes (Paragon, Image Mounter File I/O)
0xF74A0000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEB0EF000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7355000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEB151000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF0242000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF028F000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xEFB6A000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 159744 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xF01AC000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF677E000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF67E2000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6826000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF026D000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF7438000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF6806000 C:\WINDOWS\System32\Drivers\pwd_2K.SYS 131072 bytes (Roxio, Win2000 Framework for Packet Write Driver)
0xF7470000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF66C6000 C:\WINDOWS\System32\Drivers\Uim_IM.sys 122880 bytes (Paragon, Image Mounter)
0xF733B000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7458000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEDFF3000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xEB74F000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 94208 bytes (Avira GmbH, Avira Minifilter Driver)
0xF740F000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6753000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEDA91000 C:\WINDOWS\system32\drivers\51669804.sys 86016 bytes
0xEB582000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF676A000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6849000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x806EF000 ACPI_HAL 81152 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF0310000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7426000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF748F000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6742000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF76EF000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF75CF000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 65536 bytes (Roxio, CDR4_XP CDR Helper)
0xF75DF000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF760F000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
!!!!!!!!!!!Hidden driver: 0xEDF07000 .mrxsmb 61440 bytes
0xF75FF000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xEB22C000 C:\WINDOWS\system32\drivers\npf.sys 61440 bytes (CACE Technologies, Inc., npf.sys (NT5/6 x86) Kernel Driver)
0xF75EF000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF3962000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF39C2000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF753F000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF761F000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF762F000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF751F000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF764F000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF767F000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF75BF000 C:\WINDOWS\system32\drivers\Imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF750F000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF763F000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF754F000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xF759F000 C:\WINDOWS\System32\DRIVERS\amdk7.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xF74FF000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF39E2000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF766F000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
!!!!!!!!!!!Hidden driver: 0xEB364000 4154255416 36864 bytes
0xF75AF000 C:\WINDOWS\System32\DRIVERS\AN983.sys 36864 bytes (ADMtek Incorporated., ADMtek AN983/AN985/ADM951X NDIS5 Driver)
0xF74EF000 BlackBox.sys 36864 bytes (RKU Driver)
0xF752F000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF5D51000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF765F000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF459C000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF769F000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7817000 C:\WINDOWS\system32\drivers\mbamswissarmy.sys 32768 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF2C77000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF785F000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF08ED000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF776F000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7897000 C:\WINDOWS\system32\DRIVERS\UimBus.sys 28672 bytes (Windows ® 2000 DDK provider, Image Mounter SCSI Port Driver)
0xF784F000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)
0xF7867000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF3217000 C:\WINDOWS\System32\Drivers\mmc_2K.SYS 24576 bytes (Roxio, CD-R/RW AddOn MMC Driver (W2K))
0xF788F000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF2C6F000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xF7857000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF2C87000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF31FF000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF2C7F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7777000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7877000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF787F000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF786F000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77CF000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF729A000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF79EB000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF78FF000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF07AF000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF72AE000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF079F000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF0793000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF72AA000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF2EA7000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7AB5000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xF7A91000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A39000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A8F000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF79EF000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A93000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A13000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7A95000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A2F000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7A71000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF79F3000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF79F1000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7AC3000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BDF000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7AC0000 C:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)
0xF7B60000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
0x8644EAD4 Unknown page with executable code, 1324 bytes
0x8644A504 Unknown page with executable code, 2812 bytes
0x864490C6 Unknown page with executable code, 3898 bytes
WARNING: Virus alike driver modification [mrxsmb.sys]
0xEB368E80 Unknown thread object [ ETHREAD 0x8692E020 ] TID: 1940, 600 bytes
0xEDF0F105 Unknown thread object [ ETHREAD 0x86939770 ] TID: 1956, 600 bytes

Edited by raven123, 27 August 2011 - 11:20 AM.


#5 raven123

raven123
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 27 August 2011 - 04:12 PM

Hi, After running Rootkit UnHooker, I now have a box on my desktop that says Extended mode is ON, are you sure you want to use it? To close it I have to choose either yes or no. Which one do I pick?

Thanks.

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:03 PM

Posted 27 August 2011 - 05:03 PM

Answer - NO. Do you have two monitors?
Shannon

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:03 PM

Posted 27 August 2011 - 05:04 PM

Hi-

Let's try something else to get to that infection.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If the AV Scan window appears, select (none).
  • Click Scan (if asked to update the Avast anti-virus definitions, click on No).
  • When you get the "Scan finished successfully" message, click the save log button, save it to your desktop (MBR.txt) and post it in your next reply.
  • It will also copy the MBR (Master Boot Record) into a file on your desktop as MBR.dat.
In your reply, please copy in the aswMBR report.
Shannon

#8 raven123

raven123
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 27 August 2011 - 05:13 PM

Answer - NO. Do you have two monitors?


Yes I do have two monitors. I will click the No button to get rid of the box.

#9 raven123

raven123
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 27 August 2011 - 05:20 PM

I downloaded ansMBR, ran it and I saw a suspicious file in red but before it was done scanning it shut down so I was unable to save a log. When I tried to run it again I got the "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item". I can't delete the exe file now either, I get this "Cannot delete snwMBR: Access is denied. Make sure the disk is not full or write-protected and that the fiel is not currently in use." I actually have quite a few files like that on my desktop that I am unable to delete.

Edited by raven123, 27 August 2011 - 05:21 PM.


#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:03 PM

Posted 27 August 2011 - 07:32 PM

Hi-

Download one of the following Rkill programs to your desktop and run it. If you are unable run the Rkill you downloaded, download another one, and try it.
Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Run Rkill and try aswMBR again. You might need to run Rkill more than once.
Shannon

#11 raven123

raven123
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 27 August 2011 - 08:16 PM

The first rkill worked but aswMBR won't finish the scan. I ran rkill 3 or 4 times. I have to download a new aswMBR and rename it in order to try it again. The one I have on my desktop gives me the "Windows cannot access the specified device, etc" message. The final time I ran aswMBR I grabbed part of the text before the box closed. Here is what I managed to get

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-08-27 20:50:41
-----------------------------
20:50:41.727 OS Version: Windows 5.1.2600 Service Pack 3
20:50:41.727 Number of processors: 1 586 0x602
20:50:41.727 ComputerName: DAR-4NWAL0LFUC UserName: Glen Bottrel
20:50:44.021 Initialize success
20:50:49.439 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:50:49.439 Disk 0 Vendor: MAXTOR_6L060J3 A93.0500 Size: 57259MB BusType: 3
20:50:51.451 Disk 0 MBR read successfully
20:50:51.451 Disk 0 MBR scan
20:50:51.451 Disk 0 Windows XP default MBR code
20:50:51.471 Disk 0 scanning sectors +117242370
20:50:51.562 Disk 0 scanning C:\WINDOWS\system32\drivers
20:51:14.535 Service scanning
20:51:17.028 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Glen Bottrel\Desktop\MBR.dat"
20:51:17.028 The log file has been saved successfully to "C:\Documents and Settings\Glen Bottrel\Desktop\aswMBR.txt"

Edited by raven123, 27 August 2011 - 08:26 PM.


#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:03 PM

Posted 28 August 2011 - 08:37 AM

Hi-

Well done - thank you for that report. From that report, it appears that aswMBR can not remove the infection. Need to take a different approach.

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
.
Shannon

#13 raven123

raven123
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 28 August 2011 - 08:58 AM

Shannon, I downloaded combofix, ran it, and a warning box came up detecting my AntiVir PersonalEdition Classic Virus Protection to be active. The umbrella on my taskbar for Antivir is closed, has been since I got the virus. How can I disable it even further as per the box from Combofix? I Opened AntiVir but can't find any other way to disable it. Right clicking on the umbrella shows Antivir Guard Enable is not in bold, I can't even click on it.

#14 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:03 PM

Posted 28 August 2011 - 09:20 AM

Ignore the warning and run it.
Shannon

#15 raven123

raven123
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 28 August 2011 - 10:39 AM

Hi Shannon, Here is my Combofix Report

ComboFix 11-08-27.01 - Glen Bottrel 28/08/2011 11:00:50.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.783 [GMT -4:00]
Running from: c:\documents and settings\Glen Bottrel\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virus Protection *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *Enabled/Updated* {806ED0B3-FFA4-00C8-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *Enabled/Updated* {806ED0B3-FFA4-00DA-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *Enabled/Updated* {806ED0B3-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *Enabled/Updated* {8234E5C0-FFA4-00EB-0D24-347CA8A3377C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Glen Bottrel\Start Menu\Programs\System Repair
c:\documents and settings\Glen Bottrel\Start Menu\Programs\System Repair\System Repair.lnk
c:\documents and settings\Glen Bottrel\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
c:\documents and settings\Glen Bottrel\System
c:\documents and settings\Glen Bottrel\System\win_qs7.jqx
c:\documents and settings\Glen Bottrel\WINDOWS
c:\program files\messenger\msmsgsin.exe
C:\Thumbs.db
c:\windows\$NtUninstallKB3421$
c:\windows\$NtUninstallKB3421$\1160558478\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB3421$\1160558478\click.tlb
c:\windows\$NtUninstallKB3421$\1160558478\L\akygdmgo
c:\windows\$NtUninstallKB3421$\1160558478\loader.tlb
c:\windows\$NtUninstallKB3421$\1160558478\U\$000000c0
c:\windows\$NtUninstallKB3421$\1160558478\U\$000000cb
c:\windows\$NtUninstallKB3421$\1160558478\U\@00000001
c:\windows\$NtUninstallKB3421$\1160558478\U\@000000c0
c:\windows\$NtUninstallKB3421$\1160558478\U\@000000cb
c:\windows\$NtUninstallKB3421$\1160558478\U\@000000cf
c:\windows\$NtUninstallKB3421$\1160558478\U\@80000000
c:\windows\$NtUninstallKB3421$\1160558478\U\@800000c0
c:\windows\$NtUninstallKB3421$\1160558478\U\@800000cb
c:\windows\$NtUninstallKB3421$\1160558478\U\@800000cf
c:\windows\$NtUninstallKB3421$\4234562671
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\ehome\snchk.exe
c:\windows\jestertb.dll
c:\windows\patch.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\c_27980.nls
c:\windows\system32\ie.ico
c:\windows\system32\open.ico
c:\windows\winhelp.ini
.
Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))
.
.
2011-08-26 08:51 . 2011-08-26 09:04 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-08-25 17:56 . 2011-08-25 17:57 -------- d-----w- c:\program files\WinPcap
2011-08-24 01:24 . 2011-08-24 01:24 -------- d-----w- C:\TK_Quarantine
2011-08-23 15:24 . 2011-08-26 13:07 43408 --sha-w- c:\windows\system32\c_27980.nl_
2011-08-23 02:31 . 2011-08-23 02:31 388096 ----a-r- c:\documents and settings\Glen Bottrel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-22 17:31 . 2011-08-22 17:31 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-08-10 02:14 . 2011-08-10 02:14 -------- d-----w- c:\program files\Convar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-28 14:53 . 2001-08-18 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-26 08:58 . 2007-12-24 13:52 81920 ----a-w- c:\windows\system32\mgabg.exe
2011-08-25 00:04 . 2001-08-18 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-24 13:33 . 2001-08-18 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-24 13:26 . 2002-07-15 17:43 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-24 01:26 . 2002-07-22 03:43 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-23 15:34 . 2001-08-18 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-07-15 13:29 . 2011-08-28 14:49 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.svs
2011-07-08 14:02 . 2001-08-18 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-08 11:55 . 2011-07-27 17:01 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 11:55 . 2011-07-27 17:01 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-29 07:13 . 2009-05-30 00:28 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-29 07:13 . 2009-05-30 00:28 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-24 14:10 . 2002-07-15 21:49 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-06-05 18:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-06-05 18:24 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-22 13:55 . 2011-05-19 17:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-20 17:44 . 2001-08-18 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-06 19:55 . 2011-06-06 19:55 47512 ----a-w- c:\windows\system32\AdobePDF.dll
2011-06-06 19:55 . 2011-06-06 19:55 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
2011-06-02 14:02 . 2001-08-18 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\spoolsv.exe
[-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"SoundMan"="soundman.exe" [2001-05-29 124416]
"Show missed alarms"="c:\program files\Alarm\Alarm.exe" [2004-09-15 237992]
"Matrox Powerdesk"="c:\windows\system32\PDesk\PDesk.exe" [2006-03-02 684032]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"MegaPanel"="c:\program files\ACNielsen\Homescan Internet Transporter\HSTrans.exe" [2006-05-11 2064384]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-09-19 684032]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-06-06 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-06-06 2903448]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-2-11 811008]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PhraseExpress.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PhraseExpress.lnk
backup=c:\windows\pss\PhraseExpress.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2008-08-04 20:22 160800 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2008-08-04 20:22 721936 ----a-w- c:\windows\vVX3000.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\PhraseExpress\\PhraseExpress.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Glen Bottrel\\Desktop\\tdsskiller.exe"=
"c:\\Documents and Settings\\Glen Bottrel\\Desktop\\TDSSKiller\\TDSSKiller.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Premier\\QBW32.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\qbupdate.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Adobe\\Acrobat 10.0\\Acrobat\\Acrobat.exe"=
"c:\\Program Files\\ACNielsen\\Homescan Internet Transporter\\HSTrans.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
.
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [20/10/2009 2:19 PM 50704]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [29/05/2009 8:28 PM 130560]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 11:59 PM 135664]
S3 AlarmClockMonitor;Talking Alarm Clock user logon monitor;c:\program files\Alarm\AlarmMonitor.exe [15/09/2004 1:30 PM 241664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 11:59 PM 135664]
S3 nv3;nv3;c:\windows\system32\drivers\nv3.sys [15/07/2002 1:43 PM 198144]
S3 UtilNT;UtilNT;c:\windows\system32\drivers\utilnt.sys [19/07/2002 2:02 PM 5533]
.
Contents of the 'Scheduled Tasks' folder
.
2008-05-07 c:\windows\Tasks\Ability Chat.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-22 c:\windows\Tasks\Ability Online Chat.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-24 c:\windows\Tasks\Ask Gayle for QB.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-03-11 c:\windows\Tasks\Carol's Bday Sept 22.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2008-05-07 c:\windows\Tasks\Carols Bday Sept 22nd.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-21 c:\windows\Tasks\Cat Of the Week.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-28 c:\windows\Tasks\check living well.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-03-11 c:\windows\Tasks\check snowager at 9%58%14.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-21 c:\windows\Tasks\COTW.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-07-19 c:\windows\Tasks\Gayle's bday July 18.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 03:58]
.
2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 03:58]
.
2011-08-03 c:\windows\Tasks\half price day at neopets.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-25 c:\windows\Tasks\Log into Ripway to save images.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-06 c:\windows\Tasks\Pay ISP Bill.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-06 c:\windows\Tasks\Sally's Bday Aug 6.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-06-02 c:\windows\Tasks\Scripps Spelling Bee soon.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-26 c:\windows\Tasks\Send Schedule to Gayle.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-27 c:\windows\Tasks\Snowager.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-12 c:\windows\Tasks\Sue and Daves Anniversay Aug 12 (24th maybe).job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-02-09 c:\windows\Tasks\Sue Smith's Bday Feb 9.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-09 c:\windows\Tasks\Telus due Sept 4 - Add money.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-28 c:\windows\Tasks\The snowwager.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
2011-08-28 c:\windows\Tasks\Transmit scanner.job
- c:\program files\Alarm\Alarm.exe [2004-09-15 19:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gimpsy.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 64.71.255.198
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {916C95B3-55DA-43F7-A88F-32D37770306A} - hxxp://www.rogershelp.com/ocf/prjOCFTools.CAB
FF - ProfilePath - c:\documents and settings\Glen Bottrel\Application Data\Mozilla\Firefox\Profiles\r1uapznt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gimpsy.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Adobe Acrobat - Create PDF: web2pdfextension@web2pdf.adobedotcom - c:\program files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-POINTER - point32.exe
SafeBoot-02065245.sys
SafeBoot-18875131.sys
SafeBoot-41014254.sys
SafeBoot-46393896.sys
SafeBoot-59063259.sys
SafeBoot-69276990.sys
SafeBoot-74964400.sys
SafeBoot-78417515.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-28 11:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-329068152-1993962763-1060284298-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3096)
c:\windows\system32\WININET.dll
c:\windows\system32\PDesk\PDShell.dll
c:\windows\system32\PDesk\PDTOOLS.DLL
c:\windows\system32\PDesk\PDRESENG.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\PDesk\PDKERNEL.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\soundman.exe
c:\program files\Alarm\Alarm Tray.exe
.
**************************************************************************
.
Completion time: 2011-08-28 11:35:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-28 15:35
.
Pre-Run: 32,898,650,112 bytes free
Post-Run: 32,934,629,376 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 11ABB899809743F608024F1FF7DBC9F2




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users