Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Protection Virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 Max Po

Max Po

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 September 2011 - 03:48 PM

Thanks in advance to anyone willing and able to help!

I am running windows xp profressional in network mode on a work laptop.

Ive gotten the Security Protection virus before but usually running MalwareBytes would fix the probably for a while. Each time I catch the virus its seems like eliminating it with MalwareBytes gets progressively harder to do.

Now it wont allow me to run MalwareBytes at all.

I also downloaded SuperAntiSpyware however it crashes everytime after a few seconds of scanning. The alternate startups for SuperAntiSpyware do not work either.

Ive tried looking it up manually in the registry but cant find it under the default folders/names.

Per the posting instructions I downloaded dds and gmr.

I get the following from DDS: does not work in DOS mode


Ive tried in both safe mode and normal startup and get the same message from DDS.

The gmr logs is as follows:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-04 16:18:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.FC2Z
Running: gmer.exe; Driver: C:\DOCUME~1\JULES~1.PIE\LOCALS~1\Temp\kfdyipod.sys


---- System - GMER 1.0.15 ----

SSDT 8A2496B0 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IoReuseIrp + 8B 804EF90D 7 Bytes CALL 84C6B125
.text iaStor.sys B9E51997 7 Bytes CALL 84C67580
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB43E0000, 0x235297, 0xE8000020]
.text mrxsmb.sys!DdYzechRkpbxCvmzio 9E4F5000 45 Bytes [06, 0F, 83, 65, B4, 00, 00, ...]
.text mrxsmb.sys!TmNbpnm + 14 9E4F502E 95 Bytes [4D, 0C, 83, C9, 02, 89, 0A, ...]
.text mrxsmb.sys!TmNbpnm + 74 9E4F508E 16 Bytes [EC, 33, C0, 50, 50, 50, 50, ...]
.text mrxsmb.sys!TmNbpnm + 85 9E4F509F 67 Bytes [05, 51, 9E, 5D, C2, 04, 00, ...]
.text mrxsmb.sys!TmNbpnm + C9 9E4F50E3 103 Bytes [55, 8B, EC, 51, 51, 8B, 45, ...]
.text mrxsmb.sys!TmNbpnm + 131 9E4F514B 33 Bytes [C9, 0F, 84, DB, 72, 00, 00, ...]
.text ...
.text mrxsmb.sys!DdYzechRkpbxCvmzio + 40 9E4F5207 141 Bytes [04, 80, F9, A4, 74, 0E, 8A, ...]
.text mrxsmb.sys!DdYzechRkpbxCvmzio + CF 9E4F5296 16 Bytes [0F, 85, EB, 04, 01, 00, 39, ...]
.text mrxsmb.sys!DdYzechRkpbxCvmzio + E0 9E4F52A7 37 Bytes [03, 00, 00, 68, 26, 53, 4F, ...]
.text mrxsmb.sys!DdYzechRkpbxCvmzio + 107 9E4F52CE 274 Bytes [68, 7E, 53, 4F, 9E, 6A, 01, ...]
.text mrxsmb.sys!DdYzechRkpbxCvmzio + 21A 9E4F53E1 51 Bytes [94, C0, 0A, D8, 8B, 4E, 08, ...]
.text ...
? C:\WINDOWS\system32\DRIVERS\mrxsmb.sys suspicious PE modification

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\00001593 \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 84C645E0

---- Threads - GMER 1.0.15 ----

Thread System [4:1280] B894CE80
Thread System [4:1284] B894CE80
Thread System [4:1288] 84C6B135
Thread System [4:1292] 84C6B135

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB57679$\3909615628 0 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217 0 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\click.tlb 2144 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\L 0 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\L\ohmczglt 455936 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\loader.tlb 2540 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\U 0 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\U\@00000001 41360 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\U\@000000c0 2560 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\U\@000000cb 2048 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\U\@80000000 24576 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\U\@800000c0 33280 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\U\@800000cb 27648 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\U\@800000cf 27648 bytes
File C:\WINDOWS\$NtUninstallKB57679$\4262060217\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} 2048 bytes

---- EOF - GMER 1.0.15 ----

Edited by Max Po, 04 September 2011 - 03:48 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:58 PM

Posted 04 September 2011 - 04:36 PM

Hello Max Po,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


We need a little more information. Try and run these two programs and post there logs.


1.
  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


2.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Things to include in your next reply::
Otl.txt
Extra.txt
aswMBR log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Max Po

Max Po
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 September 2011 - 05:36 PM

The aswmbr scan started then crashed in the same manner that I described MalwareBytes did.



OTL Extras logfile created on: 9/4/2011 6:17:59 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\Jules\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.57 Gb Available Physical Memory | 85.91% Memory free
4.84 Gb Paging File | 4.64 Gb Available in Paging File | 95.81% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 114.82 Gb Free Space | 77.03% Space Free | Partition Type: NTFS
Drive E: | 3.74 Gb Total Space | 0.37 Gb Free Space | 9.79% Space Free | Partition Type: FAT32

Computer Name: L-STA-JPLOUIS1 | User Name: Jules.Pierre-Louis | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 4

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions" = 0
"EnableFirewall" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"EnableFirewall" = 1
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)
"4481:TCP" = 4481:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync data transfer
"4481:UDP" = 4481:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync discovery
"4482:TCP" = 4482:TCP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync data transfer
"4482:UDP" = 4482:UDP:LocalSubNet:Enabled:BlackBerry Desktop Software Wireless Music Sync discovery

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec AntiVirus\Smc.exe" = C:\Program Files\Symantec AntiVirus\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec AntiVirus\SNAC.EXE" = C:\Program Files\Symantec AntiVirus\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Veetle\Player\VeetleNet.exe" = C:\Program Files\Veetle\Player\VeetleNet.exe:*:Enabled:VeetleNet -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec AntiVirus\Smc.exe" = C:\Program Files\Symantec AntiVirus\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec AntiVirus\SNAC.EXE" = C:\Program Files\Symantec AntiVirus\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe" = C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe:*:Enabled:BlackBerry Desktop Software -- (Research In Motion)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Disabled:hpfccopy.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Disabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Veetle\Player\VeetleNet.exe" = C:\Program Files\Veetle\Player\VeetleNet.exe:*:Disabled:VeetleNet -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00CD55D6-EE5A-4570-9875-8A306628C032}" = Cisco Systems VPN Client 4.7.00.0533
"{014DD303-C515-B7BC-110E-8FD0933AFE7D}" = Catalyst Control Center Graphics Full Existing
"{023D64D7-E7B4-47C7-BE6E-B7C2E8960D08}" = Citrix online plug-in (Web)
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D62F629-F306-7907-24D1-15C0226A6352}" = CCC Help German
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility
"{1E8DC17A-EA4C-BE5B-80D5-891CFCB98B4F}" = CCC Help Dutch
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = ThinkPad Keyboard Customizer Utility
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 22
"{28379381-B56A-43e1-B505-3098D82B1C30}" = 4500G510gm_Software_Min
"{296D19E9-F52A-8B32-6A28-CBC0652C9B7D}" = CCC Help Chinese Traditional
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{310AB38F-B5C5-CFEE-A551-3A969D35545F}" = CCC Help English
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Integrated Camera
"{3A35F148-5D76-225D-CBE9-46A70B8A563A}" = Skins
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C0CB0F1-B9FE-F600-8D0E-F88CD315DC8A}" = CCC Help Chinese Standard
"{4E75D1A7-0F3D-8CDE-FB17-1A2D452520D7}" = Catalyst Control Center Core Implementation
"{559E2375-1655-4E8A-6862-0706A04E58D4}" = Catalyst Control Center Localization All
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5783F2D7-9028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2011
"{57FA0525-01F9-4051-8DE9-CBF43CAC68D9}" = Catalyst Control Center - Branding
"{58AB6669-BD08-46D0-BD82-9C1F22C0585F}" = IBM Lotus Domino Unified Communications Client for Avaya
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
"{5C934E68-E76B-2C33-7D5D-9871D6181E38}" = CCC Help Swedish
"{5DBB8A0E-9DB4-4063-6C70-BD1EB8CF0DCA}" = Catalyst Control Center Graphics Light
"{5E0C56FD-6910-10FA-A836-56D1465AB799}" = Catalyst Control Center InstallProxy
"{65706020-7B6F-41F2-8047-FC69579E386A}" = Presentation Director
"{664518E3-5DF3-52B8-3C7C-4E332E261131}" = CCC Help Portuguese
"{68BCB956-6419-3B57-91C3-0E307F9775B4}" = CCC Help French
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{6F8EAC65-314D-4D86-9557-BC9312AACCB0}" = Citrix online plug-in (USB)
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75247E38-5C9B-45D6-ADF8-E11CB56B4990}" = Network
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7E7A5A7D-1045-4075-9808-60C0DE69D38A}" = 4500G510gm_web
"{8144262B-25B4-44F6-8204-FCC8EF50179F}" = Citrix online plug-in (DV)
"{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87DF5956-A327-4304-8338-8E2B0AAB843E}" = BlackBerry Desktop Software 6.0.2
"{88C6A6D9-324C-46E8-BA87-563D14021442}_is1" = ThinkVantage Communications Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D20B4D7-3422-4099-9332-39F27E617A6F}" = Autodesk Design Review 2011
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{903A0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Standard 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E4B37D6-D7F8-4067-B900-3F314C709916}" = Intel® PROSet/Wireless WiFi Software
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Power Manager
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A1960A82-DB70-474D-A86B-FA74466103C6}" = Drivers Install For Linksys Easylink Advisor
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8B0652C-2213-A53C-5A20-E39C465F4DE9}" = CCC Help Korean
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAE221D5-C3DD-4FE2-A063-C1368FE730A5}" = Symantec Endpoint Protection
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-0000-7EC8-7489-000000000603}" = Adobe Acrobat and Reader 6.0.3 Update
"{AC76BA86-0000-7EC8-7489-000000000604}" = Adobe Acrobat and Reader 6.0.4 Update
"{AC76BA86-0000-7EC8-7489-000000000605}" = Adobe Acrobat and Reader 6.0.5 Update
"{AC76BA86-0000-7EC8-7489-000000000606}" = Adobe Acrobat and Reader 6.0.6 Update
"{AC76BA86-1033-0000-7760-000000000001}" = Adobe Acrobat 6.0.1 Professional
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF5D6814-CF6C-3610-426C-BA73943EA058}" = CCC Help Spanish
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B38968E0-778F-47C3-8781-BAD4E497801C}" = HP Officejet 4500 G510g-m
"{B7A3873C-ECC8-1898-DD23-F4EC84907755}" = ccc-utility
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD34EA4C-BA49-E541-E299-B3DBB08193AB}" = ATI Catalyst Install Manager
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE6ED5AE-4F78-4B50-ADA5-A8F24DBDC673}" = Cisco AnyConnect VPN Client
"{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}" = ThinkVantage Productivity Center
"{D00E4CDE-C6BE-5C75-5501-4707FA258314}" = CCC Help Japanese
"{D728E945-256D-4477-B377-6BBA693714AC}" = Productivity Center Supplement for ThinkPad
"{DF0B357C-5874-47D0-81E7-79AA890B0CE0}" = 4500_G510gm_Help_Web
"{E0A273AB-3B33-61D8-34CE-C18806D9087C}" = ccc-core-preinstall
"{E11DFB27-BAF4-46D6-AD76-D5519C0E6786}" = Lotus Notes 8.5.2
"{E359A820-2C44-6DE4-23E2-7B9D447511B9}" = CCC Help Italian
"{E5F3D1E9-006E-4435-85D6-483B66376655}" = Citrix online plug-in (PNA)
"{E940D7AE-7BE5-4B6B-8794-9E57B06998D5}" = DameWare Mini Remote Control Client Agent Service
"{EA74A293-3FAC-4D1B-AE3A-3BD47FADDC20}" = Citrix online plug-in (HDX)
"{EC1AB9B4-349A-4542-A017-4038C299C226}" = Citrix online plug-in (SSON)
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FA04909D-AE94-1C88-9AA8-F4665104CBFB}" = Catalyst Control Center Graphics Full New
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FF990A49-9D0E-63A8-8A92-83E2EDC24252}" = ccc-core-static
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Autodesk Design Review 2011" = Autodesk Design Review 2011
"BitTorrent" = BitTorrent
"BitTorrentBar Toolbar" = BitTorrentBar Toolbar
"BlackBerry_Desktop" = BlackBerry Desktop Software 6.0.2
"BusinessObjects 5.0" = BusinessObjects 5.1.8
"CitrixOnlinePluginFull" = Citrix online plug-in
"ClientAccessExpress" = IBM iSeries Access for Windows
"CNXT_AUDIO_HDA" = Conexant 20561 SmartAudio HD
"CNXT_MODEM_HDA_HSF" = ThinkPad Modem Adapter
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"conduitEngine" = Conduit Engine
"DWG TrueView 2011" = DWG TrueView 2011
"EasyLinkAdvisor" = Linksys EasyLink Advisor 1.6 (0032)
"Google Chrome" = Google Chrome
"HECI" = Intel® Management Engine Interface
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ITPM" = Intel® Trusted Platform Module
"LENOVO.SMIIF" = Lenovo System Interface Driver
"LenovoAutoScrollUtility" = Lenovo Auto Scroll Utility
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"MESOL" = Intel® Active Management Technology
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 6.0.1 (x86 en-US)" = Mozilla Firefox 6.0.1 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OnScreenDisplay" = On Screen Display
"Power Management Driver" = ThinkPad Power Management Driver
"ProInst" = Intel PROSet Wireless
"PROSet" = Intel® Network Connections Drivers
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"Veetle TV" = Veetle TV
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR 4.01 (32-bit)
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/23/2011 9:03:03 AM | Computer Name = L-STA-JPLOUIS1 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 8/23/2011 9:42:37 AM | Computer Name = L-STA-JPLOUIS1 | Source = KIXTART | ID = 1789
Description =

Error - 8/23/2011 9:42:37 AM | Computer Name = L-STA-JPLOUIS1 | Source = KIXTART | ID = 1789
Description =

Error - 8/23/2011 9:44:01 AM | Computer Name = L-STA-JPLOUIS1 | Source = Userenv | ID = 1058
Description = Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=sto,DC=com.
The file must be present at the location <\\sto.com\sysvol\sto.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(Configuration information could not be read from the domain controller, either
because the machine is unavailable, or access has been denied. ). Group Policy
processing aborted.

Error - 8/23/2011 9:44:01 AM | Computer Name = L-STA-JPLOUIS1 | Source = Userenv | ID = 1030
Description = Windows cannot query for the list of Group Policy objects. A message
that describes the reason for this was previously logged by the policy engine.

Error - 8/23/2011 10:47:22 AM | Computer Name = L-STA-JPLOUIS1 | Source = KIXTART | ID = 1789
Description =

Error - 8/23/2011 10:47:22 AM | Computer Name = L-STA-JPLOUIS1 | Source = KIXTART | ID = 1789
Description =

Error - 8/23/2011 2:18:38 PM | Computer Name = L-STA-JPLOUIS1 | Source = KIXTART | ID = 1789
Description =

Error - 8/23/2011 2:18:38 PM | Computer Name = L-STA-JPLOUIS1 | Source = KIXTART | ID = 1789
Description =

Error - 8/23/2011 5:18:04 PM | Computer Name = L-STA-JPLOUIS1 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

[ Cisco AnyConnect VPN Client Events ]
Error - 9/4/2011 3:19:24 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: CTcpListenTransport::initiateListening File: .\IPC\SocketTransport.cpp
Line:
1805 Invoked Function: createSocket Return Code: -31522793 (0xFE1F0017) Description:
SOCKETTRANSPORT_ERROR_SOCKET

Error - 9/4/2011 3:19:24 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: CIpcDepot::initiateIpcListening File: .\IPC\IPCDepot.cpp Line:
364 Invoked Function: CTcpListenTransport::initiateListening Return Code: -31522793
(0xFE1F0017) Description: SOCKETTRANSPORT_ERROR_SOCKET

Error - 9/4/2011 3:19:24 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: CMainThread::startIpcDepot File: .\MainThread.cpp Line: 1060
Invoked
Function: CIpcDepot::initiateIpcListening Return Code: -31522793 (0xFE1F0017) Description:
SOCKETTRANSPORT_ERROR_SOCKET

Error - 9/4/2011 3:19:24 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: CMainThread::CMainThread File: .\MainThread.cpp Line: 784 Invoked
Function: CMainThread::startIpcDepot Return Code: -31522793 (0xFE1F0017) Description:
SOCKETTRANSPORT_ERROR_SOCKET

Error - 9/4/2011 3:19:24 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: CMainThread::createSingletonInstance File: .\MainThread.cpp
Line:
493 Invoked Function: CMainThread::CMainThread Return Code: -31522793 (0xFE1F0017)
Description:
SOCKETTRANSPORT_ERROR_SOCKET

Error - 9/4/2011 3:19:24 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: CWTS::SendMessageW File: .\WTS.cpp Line: 206 Invoked Function:
WTSSendMessage Return Code: 1702 (0x000006A6) Description: The binding handle is
invalid.

Error - 9/4/2011 3:20:59 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: CMainThread::MainLoop File: .\MainThread.cpp Line: 283 Invoked
Function: CMainThread::createSingletonInstance Return Code: -31522793 (0xFE1F0017)
Description:
SOCKETTRANSPORT_ERROR_SOCKET

Error - 9/4/2011 3:20:59 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: service_main_NT File: .\Agent.cpp Line: 690 Invoked Function:
WaitForSingleObject Return Code: 6 (0x00000006) Description: The handle is invalid.



Error - 9/4/2011 3:20:59 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: CMainThread::Notify File: .\MainThread.cpp Line: 6144 Invoked
Function: CMainThread::acquireInstance Return Code: -32636916 (0xFE0E000C) Description:
MAINTHREAD_ERROR_NO_INSTANCE

Error - 9/4/2011 3:20:59 PM | Computer Name = L-STA-JPLOUIS1 | Source = vpnapi | ID = 67108866
Description = Function: service_ctrl_ex File: .\Agent.cpp Line: 443 Invoked Function:
CMainThread::Notify Return Code: -32636916 (0xFE0E000C) Description: MAINTHREAD_ERROR_NO_INSTANCE
Session
change type: 1

[ System Events ]
Error - 9/3/2011 4:40:51 AM | Computer Name = L-STA-JPLOUIS1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain STO due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 9/3/2011 9:40:51 AM | Computer Name = L-STA-JPLOUIS1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain STO due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 9/3/2011 10:14:28 AM | Computer Name = L-STA-JPLOUIS1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 959 minutes. NtpClient has no source of accurate
time.

Error - 9/3/2011 1:45:50 PM | Computer Name = L-STA-JPLOUIS1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain STO due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 9/3/2011 5:48:03 PM | Computer Name = L-STA-JPLOUIS1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain STO due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 9/3/2011 9:50:16 PM | Computer Name = L-STA-JPLOUIS1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain STO due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 9/4/2011 6:49:56 AM | Computer Name = L-STA-JPLOUIS1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain STO due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 9/4/2011 6:49:56 AM | Computer Name = L-STA-JPLOUIS1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 9/4/2011 6:49:56 AM | Computer Name = L-STA-JPLOUIS1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 9/4/2011 7:04:59 AM | Computer Name = L-STA-JPLOUIS1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.


< End of report >


OTL logfile created on: 9/4/2011 6:17:59 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\Jules.Pierre-Louis\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.57 Gb Available Physical Memory | 85.91% Memory free
4.84 Gb Paging File | 4.64 Gb Available in Paging File | 95.81% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 114.82 Gb Free Space | 77.03% Space Free | Partition Type: NTFS
Drive E: | 3.74 Gb Total Space | 0.37 Gb Free Space | 9.79% Space Free | Partition Type: FAT32

Computer Name: L-STA-JPLOUIS1 | User Name: Jules.Pierre-Louis | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\3118467582:32907078.exe
PRC - [2011/09/04 18:17:13 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\OTL.exe
PRC - [2011/09/02 08:24:56 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/11 19:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2011/04/21 10:17:14 | 000,108,456 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/02 08:24:55 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/08/15 16:42:40 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Mozilla\Firefox\Profiles\9boq2ie2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko6.dll
MOD - [2011/05/16 16:05:42 | 006,271,136 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2008/06/20 12:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SUService)
SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (gupdatem) Google Update Service (gupdatem)
SRV - File not found [Auto | Stopped] -- -- (gupdate) Google Update Service (gupdate)
SRV - File not found [Auto | Stopped] -- -- (DWMRCS)
SRV - File not found [Auto | Stopped] -- -- (CentennialIPTransferAgent)
SRV - File not found [Auto | Stopped] -- -- (CentennialClientAgent)
SRV - [2011/09/04 14:09:04 | 002,059,312 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel®
SRV - [2011/09/04 14:08:54 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2011/09/04 14:08:54 | 000,040,960 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2011/09/04 14:08:52 | 000,477,728 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2011/09/04 14:08:50 | 000,053,248 | ---- | M] () [Auto | Stopped] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2011/09/04 14:08:49 | 003,417,480 | ---- | M] (IBM) [Auto | Stopped] -- C:\Program Files\lotus\notes\nsd.exe -- (Lotus Notes Diagnostics)
SRV - [2011/09/04 14:08:40 | 000,175,152 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2011/09/04 14:08:39 | 000,050,536 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\Communications Utility\CamMute.exe -- (LENOVO.CAMMUTE)
SRV - [2011/09/04 14:08:32 | 000,866,576 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2011/09/04 14:08:29 | 000,132,456 | ---- | M] (Lenovo.) [Auto | Stopped] -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE -- (DozeSvc)
SRV - [2011/09/04 14:08:26 | 000,063,928 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2011/09/04 14:08:14 | 000,031,624 | ---- | M] (IBM Corp) [Auto | Stopped] -- C:\Program Files\lotus\notes\nslsvice.exe -- (Lotus Notes Single Logon)
SRV - [2011/09/04 14:08:11 | 000,604,408 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- (vpnagent)
SRV - [2011/09/04 14:08:08 | 000,970,752 | ---- | M] (Intel® Corporation) [Auto | Stopped] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2011/09/04 14:08:04 | 001,893,840 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2011/08/11 19:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/04/21 10:17:14 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2011/04/21 10:17:14 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2011/04/21 10:17:12 | 001,839,888 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2011/04/21 10:17:12 | 000,357,792 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2011/01/19 23:55:06 | 003,093,944 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2010/04/07 13:02:16 | 000,045,496 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV - [2007/03/11 05:40:00 | 000,065,585 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\cwbrxd.exe -- (Cwbrxd)
SRV - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2005/08/12 18:37:50 | 001,504,256 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)


========== Driver Services (SafeList) ==========

DRV - [2011/09/04 13:40:52 | 000,012,000 | ---- | M] (Centennial Software Limited ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CDProbe.SYS -- (CdProbe)
DRV - [2011/09/02 13:40:38 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110902.016\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/09/02 13:40:38 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110902.016\NAVENG.SYS -- (NAVENG)
DRV - [2011/08/23 10:19:31 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/08/23 10:19:31 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/05/11 10:29:34 | 000,125,488 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/04/21 10:17:14 | 000,321,016 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2011/04/21 10:17:14 | 000,287,352 | ---- | M] (Symantec Corporation) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2011/04/21 10:17:14 | 000,043,768 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2011/02/01 18:33:39 | 000,019,680 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vpnva.sys -- (vpnva)
DRV - [2010/08/25 02:28:00 | 000,024,304 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\DozeHDD.sys -- (DozeHDD)
DRV - [2010/08/25 02:28:00 | 000,004,442 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2010/07/27 15:29:18 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2010/07/27 15:29:18 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/07/27 15:29:18 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2010/07/27 15:29:16 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2010/07/18 23:58:34 | 000,822,400 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2010/07/14 05:34:00 | 006,650,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETwNx32.sys -- (NETwNx32) ___ Intel®
DRV - [2010/06/16 14:44:38 | 000,120,432 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2010/06/16 14:44:38 | 000,020,592 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2010/05/19 23:15:04 | 000,013,952 | ---- | M] (Intel Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2010/03/17 22:15:18 | 006,601,216 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2010/03/03 00:21:10 | 004,630,016 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/10/05 10:08:42 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2009/08/04 05:32:00 | 000,004,608 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2009/07/14 09:19:35 | 000,030,144 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2009/06/30 12:59:00 | 000,986,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2009/06/30 12:58:00 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2009/06/30 12:58:00 | 000,210,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2009/06/23 12:49:58 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2008/11/25 18:37:48 | 001,754,368 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
DRV - [2008/09/19 17:29:54 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2008/05/12 18:04:02 | 000,013,480 | ---- | M] (Lenovo Group Limited) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2008/03/26 15:21:06 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2008/02/15 19:01:18 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/07/30 12:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/30 11:42:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/03/22 12:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 12:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2007/02/15 08:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 08:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2005/08/12 18:35:56 | 000,305,739 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2005/05/17 05:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2004/11/03 13:07:24 | 000,146,888 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.structuretone.com/
IE - HKCU\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/02 08:24:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/05/11 10:28:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Mozilla\Extensions
[2011/08/15 11:05:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Mozilla\Firefox\Profiles\9boq2ie2.default\extensions
[2011/08/15 11:05:28 | 000,000,000 | ---D | M] (BitTorrentBar Community Toolbar) -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Mozilla\Firefox\Profiles\9boq2ie2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
[2011/07/15 02:21:20 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Mozilla\Firefox\Profiles\9boq2ie2.default\extensions\engine@conduit.com
[2011/05/11 10:18:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/02/04 15:11:04 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/07/14 09:14:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/02 08:24:56 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2002/08/29 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (BitTorrentBar Toolbar) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\cwbsvstr.exe (IBM Corporation)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe (DameWare Development)
O4 - HKLM..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe (Centennial Software Limited )
O4 - HKLM..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [LPMailChecker] C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PIconStartup.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O4 - HKLM..\Run: [tsnp2uvc] File not found
O4 - HKCU..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKCU..\Run: [ISUSPM] File not found
O4 - HKCU..\Run: [Security Protection] C:\Documents and Settings\All Users\Application Data\defender.exe (Лаборатория Касперского)
O4 - HKCU..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe ()
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - File not found
O15 - HKLM\..Trusted Domains: sto.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: structuretone.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: clicksafety.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: constructors.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: e-arc.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: ethicscoachtraining.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: pavarini.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: pavarinise.net ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: planwell.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sto.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: structuretone.co.uk ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: structuretone.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: thebluebook.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: t-square.com ([]* in Trusted sites)
O16 - DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} http://stomailny02.structuretone.com/dwa85W.cab (IBM Lotus iNotes 8.5 Control)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.com/pc/support/acpir.cab (IASRunner Class)
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} https://stovpn1.structuretone.com/CACHE/stc/1/binaries/vpnweb.cab (Cisco AnyConnect VPN Client Web Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233775097218 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sto.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8FA513F8-6F2F-460A-B81B-6CD7660A8588}: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B0F2C3EA-C260-4F29-B943-466F54A1ACB3}: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/04 10:34:55 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2011/09/04 18:17:13 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\OTL.exe
[2011/09/04 15:12:48 | 000,607,260 | ---- | C] (Swearware) -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\dds.scr
[2011/09/04 13:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\how-to-use-superantispyware-tutorial_files
[2011/09/04 13:06:38 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/09/04 13:05:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\SUPERAntiSpyware.com
[2011/09/04 13:05:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\Start Menu\Programs\SUPERAntiSpyware
[2011/09/04 13:05:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/09/04 13:05:27 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/09/04 13:05:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERSetup
[2011/09/04 12:58:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/09/04 12:38:50 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/04 12:38:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/04 12:38:47 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/04 12:38:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/04 12:18:28 | 000,909,824 | ---- | C] (Лаборатория Касперского) -- C:\Documents and Settings\All Users\Application Data\defender.exe
[2011/09/03 23:11:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\My Documents\Dose Files
[2011/09/01 19:51:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\Start Menu\Programs\WinRAR
[2011/09/01 19:51:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\WinRAR
[2011/09/01 19:51:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
[2011/09/01 19:51:28 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2011/08/31 08:50:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\BitTorrentBar
[2011/08/31 08:50:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2011/08/27 21:13:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/08/27 21:09:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2011/08/27 21:09:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2011/08/27 21:08:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\Google
[2011/08/27 21:08:50 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2011/08/27 21:08:43 | 000,000,000 | ---D | C] -- C:\Program Files\Veetle
[2011/08/20 20:03:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Linksys EasyLink Advisor
[2011/08/20 20:02:48 | 000,000,000 | ---D | C] -- C:\Program Files\Linksys EasyLink Advisor
[2011/08/20 13:29:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\GTek
[2011/08/20 13:28:44 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\GTek
[2011/08/18 14:47:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\BMS
[2011/08/18 07:25:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\My Documents\IBM
[2011/08/11 10:18:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\My Documents\My eBooks
[2011/08/11 08:10:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\Expense Reports
[2011/08/11 07:50:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jules.Pierre-Louis\My Documents\Construction Knowledge
[2009/02/04 12:17:40 | 000,176,128 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll
[2009/02/04 12:17:37 | 000,225,280 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[20 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/04 18:17:47 | 000,502,744 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/04 18:17:47 | 000,088,268 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/04 18:17:13 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\OTL.exe
[2011/09/04 18:14:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/04 18:13:44 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3118467582
[2011/09/04 18:13:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/04 16:58:26 | 000,082,588 | ---- | M] () -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\malewarebytes crash.JPG
[2011/09/04 16:55:30 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/04 16:23:00 | 000,000,910 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/04 16:21:59 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2011/09/04 15:21:32 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2011/09/04 15:21:00 | 000,000,906 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/04 15:13:22 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/04 15:12:49 | 000,607,260 | ---- | M] (Swearware) -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\dds.scr
[2011/09/04 14:08:54 | 000,040,960 | ---- | M] () -- C:\WINDOWS\System32\TpKmpSvc.exe
[2011/09/04 13:44:56 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2003.lnk
[2011/09/04 13:40:52 | 000,012,000 | ---- | M] (Centennial Software Limited ) -- C:\WINDOWS\System32\drivers\CDProbe.SYS
[2011/09/04 13:34:12 | 000,064,535 | ---- | M] () -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\how-to-use-superantispyware-tutorial.htm
[2011/09/04 13:05:30 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/09/04 12:18:28 | 000,909,824 | ---- | M] (Лаборатория Касперского) -- C:\Documents and Settings\All Users\Application Data\defender.exe
[2011/09/03 14:25:02 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/09/02 13:53:05 | 000,000,628 | RHS- | M] () -- C:\Documents and Settings\Jules.Pierre-Louis\ntuser.pol
[2011/09/02 13:51:06 | 000,010,956 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/08/31 08:50:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/08/28 01:03:09 | 000,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Security Protection.lnk
[2011/08/27 21:09:47 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/25 14:02:27 | 000,000,977 | ---- | M] () -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\Shortcut to SD10.lnk
[2011/08/18 13:28:55 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Excel 2003.lnk
[2011/08/15 17:19:43 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[20 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/04 16:58:26 | 000,082,588 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\malewarebytes crash.JPG
[2011/09/04 15:17:26 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\gmer.exe
[2011/09/04 13:34:11 | 000,064,535 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\how-to-use-superantispyware-tutorial.htm
[2011/09/04 13:05:30 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/09/04 12:38:50 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/04 12:18:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\3118467582
[2011/09/04 12:18:29 | 000,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Security Protection.lnk
[2011/09/04 08:55:48 | 000,173,594 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3497885986-396218975-3867345159-11992-0.dat
[2011/09/04 08:55:47 | 000,173,594 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/08/27 21:09:47 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/08/27 21:09:47 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/27 21:08:57 | 000,000,910 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/27 21:08:57 | 000,000,906 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/25 14:02:27 | 000,000,977 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Desktop\Shortcut to SD10.lnk
[2011/08/05 02:36:54 | 000,015,516 | -HS- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\75pg32uc86hns2rqtr4c
[2011/08/05 02:36:54 | 000,015,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\75pg32uc86hns2rqtr4c
[2011/08/05 02:36:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\xhui.exe
[2011/08/05 02:36:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\wclq.exe
[2011/08/05 02:36:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hmua.exe
[2011/08/05 02:36:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hdaq.exe
[2011/08/05 02:36:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\cmyc.exe
[2011/08/05 02:36:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bvbk.exe
[2011/08/05 02:36:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\bbtk.exe
[2011/08/05 02:36:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\armm.exe
[2011/07/19 08:38:23 | 000,997,328 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/07/19 00:34:58 | 000,011,718 | -HS- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\78088ge267pi18h0pgt1h126x7vx7x62cv42ml42ld
[2011/07/19 00:34:58 | 000,011,718 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\78088ge267pi18h0pgt1h126x7vx7x62cv42ml42ld
[2011/06/24 04:05:57 | 000,014,852 | -HS- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\grj80oqdpq2oouio58w72rr88u758pwi6j07j
[2011/06/24 04:05:57 | 000,014,852 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\grj80oqdpq2oouio58w72rr88u758pwi6j07j
[2011/06/07 09:42:18 | 000,142,402 | ---- | C] () -- C:\WINDOWS\hpwins26.dat
[2011/06/07 09:42:18 | 000,000,370 | ---- | C] () -- C:\WINDOWS\hpwmdl26.dat
[2011/05/14 13:02:00 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\Jules.Pierre-Louis\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/11 23:14:19 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2011/05/11 10:28:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/05/10 16:53:26 | 000,004,400 | ---- | C] () -- C:\Program Files\PanaHDS.ini
[2011/05/10 16:51:48 | 000,000,250 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2010/12/01 14:14:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/05/20 09:55:21 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2010/05/20 09:55:21 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2010/05/20 09:55:21 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2010/05/20 09:55:21 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2010/05/20 09:55:21 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2010/05/20 09:55:21 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2010/02/08 10:31:51 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/07/14 09:48:30 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/10 12:33:32 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/07/10 12:33:32 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2009/06/20 19:13:04 | 000,041,020 | ---- | C] () -- C:\WINDOWS\System32\ucres_enu.dll
[2009/06/18 16:29:04 | 000,201,875 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2009/04/01 08:54:50 | 000,002,850 | ---- | C] () -- C:\WINDOWS\System32\Dwrcs.ini
[2009/02/04 18:26:13 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/02/04 18:25:17 | 000,211,288 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/02/04 13:39:52 | 000,024,630 | ---- | C] () -- C:\WINDOWS\System32\cwbunplp.exe
[2009/02/04 13:39:48 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\cwbrw.dll
[2009/02/04 13:39:48 | 000,126,976 | ---- | C] () -- C:\WINDOWS\cwbzip.exe
[2009/02/04 13:39:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\cwbsv.dll
[2009/02/04 13:39:48 | 000,020,529 | ---- | C] () -- C:\WINDOWS\System32\cwbwiz.dll
[2009/02/04 13:39:48 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbsy.dll
[2009/02/04 13:39:48 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbnl.dll
[2009/02/04 13:39:48 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbco.dll
[2009/02/04 13:39:48 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbnldlg.dll
[2009/02/04 13:39:48 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\cwbad.dll
[2009/02/04 13:22:18 | 000,001,000 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/04 12:27:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/02/04 12:17:40 | 001,754,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2009/02/04 12:17:40 | 000,028,800 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys
[2009/02/04 12:17:40 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2uvc.ini
[2009/02/04 12:11:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2009/02/04 11:44:32 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\TpKmpSvc.exe
[2009/02/04 11:43:40 | 000,196,608 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2009/02/04 11:43:39 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2009/02/04 10:36:42 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/02/04 10:32:47 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/14 05:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2007/08/27 16:44:34 | 002,326,528 | ---- | C] () -- C:\WINDOWS\System32\ccme_eccaccel.dll
[2007/08/27 16:44:34 | 000,901,120 | ---- | C] () -- C:\WINDOWS\System32\ccme_ecc.dll
[2007/08/27 16:44:34 | 000,471,040 | ---- | C] () -- C:\WINDOWS\System32\ccme_base.dll
[2007/08/27 16:44:34 | 000,393,216 | ---- | C] () -- C:\WINDOWS\System32\cryptocme2.dll
[2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/12 18:38:00 | 000,181,176 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2005/08/12 18:37:46 | 000,189,440 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2002/08/29 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/08/29 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/08/29 08:00:00 | 000,502,744 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/08/29 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/08/29 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/08/29 08:00:00 | 000,088,268 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/08/29 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/08/29 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/08/29 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/08/29 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/08/02 09:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2011/05/19 11:48:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco
[2010/08/02 09:38:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2011/09/04 13:06:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/05/27 10:31:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GroupPolicy
[2009/12/09 10:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
[2011/09/04 13:06:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/05/14 12:52:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2011/09/04 13:05:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SUPERSetup
[2010/08/02 09:21:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Autodesk
[2011/09/04 08:55:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\BitTorrent
[2011/05/12 15:57:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/07/14 09:19:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Downloaded Installations
[2010/08/02 09:38:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\ICAClient
[2011/07/02 05:03:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\InterVideo
[2009/07/14 09:48:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Lenovo
[2011/09/04 14:11:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\PriceGong
[2011/05/14 13:01:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jules.Pierre-Louis\Application Data\Research In Motion
[2011/09/04 16:21:59 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2007/11/07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe


< MD5 for: AGP440.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2009/08/07 06:17:26 | 000,330,264 | ---- | M] (Intel Corporation) MD5=01446278D4563B3013C92830AE6CBB26 -- C:\Program Files\Lenovo\System Update\session\6iim10ww\IaStor.sys
[2009/08/07 06:17:26 | 000,330,264 | ---- | M] (Intel Corporation) MD5=01446278D4563B3013C92830AE6CBB26 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2008/11/03 13:56:40 | 000,327,192 | ---- | M] (Intel Corporation) MD5=37769C28E1C6489C56E41DB7A32D58C5 -- C:\WINDOWS\OemDir\iaStor.sys
[2009/02/11 17:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\Program Files\Lenovo\System Update\session\7zim64ww\IaStor.sys
[2009/02/11 17:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB57679$] -> Error: Cannot create file handle -> Unknown point type

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\3118467582:32907078.exe

< End of report >

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:58 PM

Posted 04 September 2011 - 05:47 PM

Hello,


1.
Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\3118467582
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.


2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.6.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.5.6.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
result.txt
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Max Po

Max Po
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 September 2011 - 06:26 PM

I ran into a problem. I'm replying from my blackberry now. After completing the 2nd step (1 threat found) and rebooting, now my browser are opening but not loading. Server Not Found. I'm still in safe mode and it has been loading pages fine up until this point. I ran tssdr a second time and no threats found this time but somehow my browser isn't working. Also tried normal startup and the virus still pops up. Please advise.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:58 PM

Posted 04 September 2011 - 07:49 PM

Hello,

Why did you try and run your browser before completing all the steps? Please do step one again the do step 3. If your browser is not working then you will have to download Combofix to a usb drive to transfer to machine not working.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Max Po

Max Po
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 September 2011 - 09:15 PM

Sorry, I restarted the computer as instructed at the end of step 1. To download step 2 and 3 I needed to open the browser again. I suppose I should have downloaded all 3 before closing this page. Along with copying all the instructions to a text file. Ill do that moving forward.

I repeated step 1 and my browser is working now.

DummyCreator by Farbar
Ran by Jules.Pierre-Louis (administrator) on 04-09-2011 at 22:07:30
**************************************************************

c:\WINDOWS\3118467582 [04-09-2011 18:52:03]

== End of log ==

Proceeding to step 3.

#8 Max Po

Max Po
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 September 2011 - 09:46 PM

Step 3 complete

ComboFix 11-09-04.03 - Jules.Pierre-Louis 09/04/2011 22:32:08.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3066.2784 [GMT -4:00]
Running from: c:\documents and settings\Jules.Pierre-Louis\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\DetectSchedulerSU.exe.8badc819.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\installUtil.exe.89c0d2f9.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\StartSuService.exe.ace7fffa.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\uts.exe.11a43946.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\uts.exe.54bdc19b.ini
c:\documents and settings\All Users\Application Data\defender.exe
c:\documents and settings\All Users\Desktop\Security Protection.lnk
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Jules.Pierre-Louis\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\ApplicationHistory\DetectSchedulerSU.exe.8badc819.ini
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\ApplicationHistory\installUtil.exe.89c0d2f9.ini
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\ApplicationHistory\StartSuService.exe.ace7fffa.ini
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\ApplicationHistory\uts.exe.11a43946.ini
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\ApplicationHistory\uts.exe.54bdc19b.ini
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\armm.exe
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\bbtk.exe
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\cmyc.exe
c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\xhui.exe
c:\documents and settings\Jules.Pierre-Louis\Recent\Thumbs.db
C:\install.exe
c:\program files\Internet Explorer\SET59D.tmp
c:\windows\$NtUninstallKB57679$
c:\windows\$NtUninstallKB57679$\3909615628
c:\windows\$NtUninstallKB57679$\4262060217\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB57679$\4262060217\click.tlb
c:\windows\$NtUninstallKB57679$\4262060217\L\ohmczglt
c:\windows\$NtUninstallKB57679$\4262060217\loader.tlb
c:\windows\$NtUninstallKB57679$\4262060217\U\@00000001
c:\windows\$NtUninstallKB57679$\4262060217\U\@000000c0
c:\windows\$NtUninstallKB57679$\4262060217\U\@000000cb
c:\windows\$NtUninstallKB57679$\4262060217\U\@000000cf
c:\windows\$NtUninstallKB57679$\4262060217\U\@80000000
c:\windows\$NtUninstallKB57679$\4262060217\U\@800000c0
c:\windows\$NtUninstallKB57679$\4262060217\U\@800000cb
c:\windows\$NtUninstallKB57679$\4262060217\U\@800000cf
c:\windows\3118467582
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\dasetup.log
c:\windows\system32\ccme_eccaccel.dll
c:\windows\system32\comct332.ocx
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_fe09e0b9
.
.
((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))
.
.
2011-09-04 17:06 . 2011-09-04 17:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-04 17:05 . 2011-09-04 17:05 -------- d-----w- c:\documents and settings\Jules.Pierre-Louis\Application Data\SUPERAntiSpyware.com
2011-09-04 17:05 . 2011-09-04 20:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-04 17:05 . 2011-09-04 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-04 17:05 . 2011-09-04 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
2011-09-04 16:58 . 2011-09-04 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-04 16:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-04 16:38 . 2011-09-04 20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 16:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 12:50 . 2011-08-31 12:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\BitTorrentBar
2011-08-31 12:50 . 2011-08-31 12:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-08-28 01:13 . 2011-08-28 01:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-08-28 01:09 . 2011-08-28 01:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-08-28 01:08 . 2011-08-28 01:09 -------- d-----w- c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\Google
2011-08-28 01:08 . 2011-08-28 01:09 -------- d-----w- c:\program files\Google
2011-08-28 01:08 . 2011-08-28 01:08 -------- d-----w- c:\program files\Veetle
2011-08-21 00:02 . 2011-08-21 00:03 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2011-08-20 17:29 . 2011-08-21 14:52 -------- d-----w- c:\documents and settings\sti
2011-08-20 17:29 . 2011-08-20 17:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gtek
2011-08-20 17:29 . 2011-08-20 17:29 -------- d--h--w- c:\documents and settings\Jules.Pierre-Louis\Application Data\GTek
2011-08-20 17:28 . 2011-08-20 17:29 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-04 23:05 . 2008-04-14 04:47 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-04 18:08 . 2009-02-04 15:44 40960 ----a-w- c:\windows\system32\TpKmpSvc.exe
2011-09-04 18:07 . 2009-07-10 16:53 606208 ----a-w- c:\windows\system32\ati2evxx.exe
2011-09-04 18:07 . 2008-09-29 15:17 38248 ----a-w- c:\windows\system32\ibmpmsvc.exe
2011-09-04 17:40 . 2009-08-21 15:19 12000 ----a-w- c:\windows\system32\drivers\CDProbe.SYS
2011-08-05 06:36 . 2011-08-05 06:36 0 ----a-w- c:\documents and settings\All Users\Application Data\wclq.exe
2011-08-05 06:36 . 2011-08-05 06:36 0 ----a-w- c:\documents and settings\All Users\Application Data\hmua.exe
2011-08-05 06:36 . 2011-08-05 06:36 0 ----a-w- c:\documents and settings\All Users\Application Data\hdaq.exe
2011-08-05 06:36 . 2011-08-05 06:36 0 ----a-w- c:\documents and settings\All Users\Application Data\bvbk.exe
2011-07-15 06:21 . 2011-07-15 06:21 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-09-02 12:24 . 2011-05-11 14:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-03-28 16:22 176936 ----a-w- c:\program files\BitTorrentBar\prxtbBitT.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2010-07-27 69560]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-08-25 517480]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2010-08-25 208896]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-04 62240]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe" [2010-02-04 111640]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-11 24627]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2009-02-17 233472]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-01-29 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-01-29 124248]
"TpShocks"="TpShocks.exe" [2010-07-02 337256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-03 98304]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-04-21 115624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2009-02-04 78848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-2-8 50688]
VPN Client.lnk - c:\windows\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico [2009-2-4 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Veetle\\Player\\VeetleNet.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2/8/2010 11:24 AM 24304]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/16/2010 2:44 PM 20592]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 10:08 AM 65584]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 8:00 AM 26624]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/19/2010 6:00 PM 13480]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2/8/2010 11:24 AM 132456]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CamMute.exe [5/19/2010 6:00 PM 50536]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\lotus\notes\nsd.exe [8/11/2010 11:26 AM 3417480]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [2/4/2009 11:43 AM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/24/2008 1:32 PM 63928]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2/4/2009 12:52 PM 2059312]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/1/2011 6:48 PM 604408]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 8:00 AM 3712]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/13/2008 5:42 PM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/23/2011 2:31 PM 105592]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [11/30/2010 3:20 PM 6650752]
S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Jules.Pierre-Louis\My Documents\Downloads\SABKUTIL.sys --> c:\documents and settings\Jules.Pierre-Louis\My Documents\Downloads\SABKUTIL.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45496]
S3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [8/21/2009 11:19 AM 12000]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/27/2010 3:29 PM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-09-05 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-02-04 06:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.structuretone.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: clicksafety.com
Trusted Zone: e-arc.com
Trusted Zone: ethicscoachtraining.com
Trusted Zone: planwell.com
Trusted Zone: t-square.com
Trusted Zone: thebluebook.com
Trusted Zone: sto.com
Trusted Zone: structuretone.com
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxp://stomailny02.structuretone.com/dwa85W.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://stovpn1.structuretone.com/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\documents and settings\Jules.Pierre-Louis\Application Data\Mozilla\Firefox\Profiles\9boq2ie2.default\
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKLM-Run-tsnp2uvc - c:\windows\tsnp2uvc.exe
Notify-NavLogon - (no file)
SafeBoot-27309549.sys
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-04 22:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom]
"ImagePath"="\*"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1472)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3112)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\lotus\notes\nslsvice.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\TpShocks.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
.
**************************************************************************
.
Completion time: 2011-09-04 22:45:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-05 02:45
.
Pre-Run: 126,758,576,128 bytes free
Post-Run: 127,530,860,544 bytes free
.
- - End Of File - - 0DBE69D5E2D6B93D52B2EA3A689678F7

#9 Max Po

Max Po
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 September 2011 - 09:49 PM

Also, combofix rebooted my computer to normal startup (it specifically instructed to not reboot manually so I didnt go into safe mode). Im currently using my firefox browser in normal startup to post this. Everything seems to be working well. Please advise.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:58 PM

Posted 04 September 2011 - 10:34 PM

Hello,


We still have a little work to do.

1.
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic417445.html

Collect::
c:\documents and settings\All Users\Application Data\wclq.exe
c:\documents and settings\All Users\Application Data\hmua.exe
c:\documents and settings\All Users\Application Data\hdaq.exe
c:\documents and settings\All Users\Application Data\bvbk.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to THIS CHANNEL and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.

2.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Max Po

Max Po
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 September 2011 - 10:51 PM

Quick question before I proceed. My laptop has symantec endpoint protection and apparently its locked so that I cant disable it. Combofix noted this on the initial process but there wasnt anything I could do. It didnt seem to be an issue though. Should I try to disable it via taskmanager or something?

Edited by Max Po, 04 September 2011 - 10:51 PM.


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:58 PM

Posted 04 September 2011 - 10:56 PM

Nah it should be ok to run those tools. If not then disable via taskmanager.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Max Po

Max Po
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 04 September 2011 - 11:32 PM

Question:

At step 2 out of 4 in ESET 0% and says "Can not get update. Is proxy configured?"

Please advise.

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:58 PM

Posted 05 September 2011 - 12:17 AM

skip Eset and lets use another one.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Max Po

Max Po
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 05 September 2011 - 07:53 AM

Dr Weblog:

cnet_wrar401_exe.exe;C:\Documents and Settings\Jules.Pierre-Louis\My Documents\Downloads;Adware.Zugo.38;Deleted.;
AP06BE12FC.EXE\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP06BE12FC.EXE;Trojan.Starter.1695;;
AP06BE12FC.EXE;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP0EF3EF94.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP0EF3EF94.exe;Trojan.Starter.1695;;
AP0EF3EF94.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP10A2BFF3.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP10A2BFF3.exe;Trojan.Starter.1695;;
AP10A2BFF3.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP26E74C99.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP26E74C99.exe;Trojan.Starter.1695;;
AP26E74C99.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP3383595A.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP3383595A.exe;Trojan.Starter.1695;;
AP3383595A.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP5326B2E5.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP5326B2E5.exe;Trojan.Starter.1695;;
AP5326B2E5.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP5BF6BC35.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP5BF6BC35.exe;Trojan.Starter.1695;;
AP5BF6BC35.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP5ED0E6A5.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP5ED0E6A5.exe;Trojan.Starter.1695;;
AP5ED0E6A5.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP64F997B1.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP64F997B1.exe;Trojan.Starter.1695;;
AP64F997B1.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP78582F4D.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP78582F4D.exe;Trojan.Starter.1695;;
AP78582F4D.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP7DA4F027.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP7DA4F027.exe;Trojan.Starter.1695;;
AP7DA4F027.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP841A3A65.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP841A3A65.exe;Trojan.Starter.1695;;
AP841A3A65.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP86A29B33.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP86A29B33.exe;Trojan.Starter.1695;;
AP86A29B33.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP89E6A4EA.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP89E6A4EA.exe;Trojan.Starter.1695;;
AP89E6A4EA.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
AP9CCB33F6.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP9CCB33F6.exe;Trojan.Starter.1695;;
AP9CCB33F6.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APBAD1FC37.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APBAD1FC37.exe;Trojan.Starter.1695;;
APBAD1FC37.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APBC3B11B8.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APBC3B11B8.exe;Trojan.Starter.1695;;
APBC3B11B8.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APC8E0283C.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APC8E0283C.exe;Trojan.Starter.1695;;
APC8E0283C.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APCC0B4F7B.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APCC0B4F7B.exe;Trojan.Starter.1695;;
APCC0B4F7B.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APD37262F0.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APD37262F0.exe;Trojan.Starter.1695;;
APD37262F0.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APE6D3D737.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APE6D3D737.exe;Trojan.Starter.1695;;
APE6D3D737.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APE7D8DEB3.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APE7D8DEB3.exe;Trojan.Starter.1695;;
APE7D8DEB3.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APEBF7EAB8.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APEBF7EAB8.exe;Trojan.Starter.1695;;
APEBF7EAB8.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APED33AF32.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APED33AF32.exe;Trojan.Starter.1695;;
APED33AF32.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APF0776114.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APF0776114.exe;Trojan.Starter.1695;;
APF0776114.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APF3E35443.exe\data001;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APF3E35443.exe;Trojan.Starter.1695;;
APF3E35443.exe;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Container contains infected objects;Moved.;
APQ13D.tmp;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;BackDoor.Siggen.34163;Incurable.Moved.;
A0000066.ini;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP0;BackDoor.Siggen.34346;Deleted.;
A0000417.EXE\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000417.EXE;Trojan.Starter.1695;;
A0000417.EXE;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000418.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000418.exe;Trojan.Starter.1695;;
A0000418.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000419.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000419.exe;Trojan.Starter.1695;;
A0000419.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000420.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000420.exe;Trojan.Starter.1695;;
A0000420.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000421.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000421.exe;Trojan.Starter.1695;;
A0000421.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000422.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000422.exe;Trojan.Starter.1695;;
A0000422.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000423.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000423.exe;Trojan.Starter.1695;;
A0000423.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000424.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000424.exe;Trojan.Starter.1695;;
A0000424.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000425.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000425.exe;Trojan.Starter.1695;;
A0000425.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000426.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000426.exe;Trojan.Starter.1695;;
A0000426.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000427.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000427.exe;Trojan.Starter.1695;;
A0000427.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000428.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000428.exe;Trojan.Starter.1695;;
A0000428.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000429.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000429.exe;Trojan.Starter.1695;;
A0000429.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000430.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000430.exe;Trojan.Starter.1695;;
A0000430.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000431.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000431.exe;Trojan.Starter.1695;;
A0000431.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000432.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000432.exe;Trojan.Starter.1695;;
A0000432.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000433.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000433.exe;Trojan.Starter.1695;;
A0000433.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000434.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000434.exe;Trojan.Starter.1695;;
A0000434.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000435.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000435.exe;Trojan.Starter.1695;;
A0000435.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000436.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000436.exe;Trojan.Starter.1695;;
A0000436.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000437.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000437.exe;Trojan.Starter.1695;;
A0000437.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000438.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000438.exe;Trojan.Starter.1695;;
A0000438.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000439.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000439.exe;Trojan.Starter.1695;;
A0000439.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000440.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000440.exe;Trojan.Starter.1695;;
A0000440.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000441.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000441.exe;Trojan.Starter.1695;;
A0000441.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;
A0000442.exe\data001;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1\A0000442.exe;Trojan.Starter.1695;;
A0000442.exe;C:\System Volume Information\_restore{B2736D9B-B3E6-40A9-855B-43BCF76898F5}\RP1;Container contains infected objects;Moved.;


MalwareBytes log:


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7654

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/5/2011 12:22:31 AM
mbam-log-2011-09-05 (00-22-31).txt

Scan type: Quick scan
Objects scanned: 186310
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Combo fix log:


ComboFix 11-09-04.03 - Jules.Pierre-Louis 09/05/2011 0:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3066.2348 [GMT -4:00]
Running from: c:\documents and settings\Jules.Pierre-Louis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jules.Pierre-Louis\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
file zipped: c:\documents and settings\All Users\Application Data\bvbk.exe
file zipped: c:\documents and settings\All Users\Application Data\hdaq.exe
file zipped: c:\documents and settings\All Users\Application Data\hmua.exe
file zipped: c:\documents and settings\All Users\Application Data\wclq.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bvbk.exe
c:\documents and settings\All Users\Application Data\hdaq.exe
c:\documents and settings\All Users\Application Data\hmua.exe
c:\documents and settings\All Users\Application Data\wclq.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))
.
.
2011-09-04 17:06 . 2011-09-04 17:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-04 17:05 . 2011-09-04 17:05 -------- d-----w- c:\documents and settings\Jules.Pierre-Louis\Application Data\SUPERAntiSpyware.com
2011-09-04 17:05 . 2011-09-04 20:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-04 17:05 . 2011-09-04 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-04 17:05 . 2011-09-04 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERSetup
2011-09-04 16:58 . 2011-09-04 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-04 16:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-04 16:38 . 2011-09-04 20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 16:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 12:50 . 2011-08-31 12:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\BitTorrentBar
2011-08-31 12:50 . 2011-08-31 12:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-08-28 01:13 . 2011-08-28 01:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-08-28 01:09 . 2011-08-28 01:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-08-28 01:08 . 2011-08-28 01:09 -------- d-----w- c:\documents and settings\Jules.Pierre-Louis\Local Settings\Application Data\Google
2011-08-28 01:08 . 2011-08-28 01:09 -------- d-----w- c:\program files\Google
2011-08-28 01:08 . 2011-08-28 01:08 -------- d-----w- c:\program files\Veetle
2011-08-21 00:02 . 2011-08-21 00:03 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2011-08-20 17:29 . 2011-08-21 14:52 -------- d-----w- c:\documents and settings\sti
2011-08-20 17:29 . 2011-08-20 17:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gtek
2011-08-20 17:29 . 2011-08-20 17:29 -------- d--h--w- c:\documents and settings\Jules.Pierre-Louis\Application Data\GTek
2011-08-20 17:28 . 2011-08-20 17:29 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-04 23:05 . 2008-04-14 04:47 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-04 18:08 . 2009-02-04 15:44 40960 ----a-w- c:\windows\system32\TpKmpSvc.exe
2011-09-04 18:07 . 2009-07-10 16:53 606208 ----a-w- c:\windows\system32\ati2evxx.exe
2011-09-04 18:07 . 2008-09-29 15:17 38248 ----a-w- c:\windows\system32\ibmpmsvc.exe
2011-09-04 17:40 . 2009-08-21 15:19 12000 ----a-w- c:\windows\system32\drivers\CDProbe.SYS
2011-07-15 06:21 . 2011-07-15 06:21 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-09-02 12:24 . 2011-05-11 14:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-05_02.41.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-05 04:09 . 2011-09-05 04:09 16384 c:\windows\temp\Perflib_Perfdata_770.dat
+ 2002-08-29 12:00 . 2011-09-05 03:02 88690 c:\windows\system32\perfc009.dat
- 2002-08-29 12:00 . 2011-09-05 02:41 88690 c:\windows\system32\perfc009.dat
+ 2002-08-29 12:00 . 2011-09-05 03:02 503332 c:\windows\system32\perfh009.dat
- 2002-08-29 12:00 . 2011-09-05 02:41 503332 c:\windows\system32\perfh009.dat
+ 2011-09-05 03:06 . 2011-09-05 03:06 2295808 c:\windows\Installer\72504.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-03-28 16:22 176936 ----a-w- c:\program files\BitTorrentBar\prxtbBitT.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2010-07-27 69560]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-08-25 517480]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2010-08-25 208896]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-04 62240]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe" [2010-02-04 111640]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-11 24627]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2009-02-17 233472]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-01-29 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-01-29 124248]
"TpShocks"="TpShocks.exe" [2010-07-02 337256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-03 98304]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-04-21 115624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2009-02-04 78848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-2-8 50688]
VPN Client.lnk - c:\windows\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico [2009-2-4 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Veetle\\Player\\VeetleNet.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2/8/2010 11:24 AM 24304]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [6/16/2010 2:44 PM 20592]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 10:08 AM 65584]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 8:00 AM 26624]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/19/2010 6:00 PM 13480]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2/8/2010 11:24 AM 132456]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CamMute.exe [5/19/2010 6:00 PM 50536]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\lotus\notes\nsd.exe [8/11/2010 11:26 AM 3417480]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [2/4/2009 11:43 AM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/24/2008 1:32 PM 63928]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2/4/2009 12:52 PM 2059312]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/1/2011 6:48 PM 604408]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 8:00 AM 3712]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [6/13/2008 5:42 PM 243856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/23/2011 2:31 PM 105592]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [11/30/2010 3:20 PM 6650752]
S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Jules.Pierre-Louis\My Documents\Downloads\SABKUTIL.sys --> c:\documents and settings\Jules.Pierre-Louis\My Documents\Downloads\SABKUTIL.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45496]
S3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [8/21/2009 11:19 AM 12000]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/27/2010 3:29 PM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-09-05 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-02-04 06:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.structuretone.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: clicksafety.com
Trusted Zone: e-arc.com
Trusted Zone: ethicscoachtraining.com
Trusted Zone: planwell.com
Trusted Zone: t-square.com
Trusted Zone: thebluebook.com
Trusted Zone: sto.com
Trusted Zone: structuretone.com
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxp://stomailny02.structuretone.com/dwa85W.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://stovpn1.structuretone.com/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\documents and settings\Jules.Pierre-Louis\Application Data\Mozilla\Firefox\Profiles\9boq2ie2.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-05 00:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.cdrom]
"ImagePath"="\*"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1476)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3408)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\lotus\notes\nslsvice.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\windows\system32\TpShocks.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
.
**************************************************************************
.
Completion time: 2011-09-05 00:15:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-05 04:15
ComboFix2.txt 2011-09-05 02:45
.
Pre-Run: 127,251,107,840 bytes free
Post-Run: 127,233,912,832 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6796B3C2CA7CC6789A14FA6933C4788A
Upload was successful


Computer seems to be running fine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users