Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, Trojan, Vundo? Router DNS Hijack?


  • This topic is locked This topic is locked
28 replies to this topic

#1 Steve23

Steve23

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:11:30 AM

Posted 10 September 2011 - 10:58 PM

Good Morning Bleeping Computer!

Dell Latitude D620 laptop, WinXP Pro SP3, Intel Core2 CPU T7200 @ 2GHz, 2.0GB RAM, 945GM Chipset.

Logs: DDS.txt appended. Attach.txt and ARK.log attached.

I’ll mention upfront that one of the two PC's on my home network got a Vundo infection about 1.5 years ago and despite seeming eradication, I think I have lasting effects. I am now having problems with the newly acquired above referenced laptop just recently added as the third PC on my home network. My other tow PC's have some issues too, but that's not for here, this is about the D620 laptop.

I purchased the above described used laptop from an authorized Dell reseller. The OS was freshly installed. I connected to an unsecured network at my community college and downloaded and installed some minor stuff (Adobe Reader, Flash, Shockwave, Google Chrome and a college PDF of accessing their encrypted sight) and Symantec Endpoint Protection (SEP) v11.0.6100.645. I did a small regedit on SEP (same edit I did on my other two Dell PC's) to disable admin established weekly scans and startup scans, because I prefer scan manually. All good. I get home and the WiFi catches my router. I install Microsoft Office XP Professional off CD. I reboot. Before the WiFi connects, before SEP gets a green light (it is just a yellow shield in the system tray; it doesn't yet have the "all's well" green dot) I get a File Download message: Do you want to open or save this file? Name: bsbsyncvp.png (seems to always be 4 consonants, 1 vowel, 4 consonants, .png extension), Type: MS Photo Ed, From: C:\Doc&Setting\Owner\Local Se… and the rest is cut off. If I choose Open, MS Photo always shows a 22px W x 15px H 24bit color French Flag at 1320 KB, which seems way too many KB’s given that I calculate based on size, color and header that this file should be only about 1 KB. If I choose Save, then scan with SEP I get zero risk detection. So I choose Cancel now. This message appears frequently, even when the computer has been idle. Also, even when the computer sits, a 0KB hidden file named sysareobuc.tmp (the name is consistent) shows up on the desktop. If I delete it, another takes its place after a matter of hours.

Yesterday evening Internet Explorer (IE8) would give me Google results, but any click on a result sent me to a seemingly random place, and in the instance I checked, the displayed URL was spoofed for the site. This occurred for a period of time but then stopped at some point.

Last night I performed a surface scan with error-fix enabled. No issues in log file. I did a SEP scan: only found and deleted one tracking cookie.

I have a Belkin 54g router, FW ver F5D7230-4_UK_8.01.09. Since http://www.bleepingcomputer.com/forums/topic418146.html "Redirect virus" sounded close, last night I also flushed the DNS, stopped and restarted DNS Client, shut down, reset the router (pushed pinhole about 10+ times until lights briefly went off and came back on), restarted, and reset to my typical router configuration. Here’s some configuration highlights: IP Pool limited to 9; I do broadcast the SSID until I get the laptop WiFi settled; ICMP Ping is blocked; WPA/WPA2-Personal(PSK) WPA-PSK TKIP passworded Security.

The redirect problem went away for awhile but has returned.

Since problems started, upon shut down I sometimes get End Program - Sunupdt32 (Symantec Update?), which sometimes self-resolves, but I always get End Program - rundll32.exe and I have to click End Now.

Tonight I rebooted and let the laptop sit idle for about 15 minutes. I ran CCleaner after enabling a couple extra items on the Windows tab of the Cleaner function, namely Autocomplete Form History, Saved Passwords, and Old Prefetch data. CCleaner removed 24MB in 790 IE Temp Internet files plus 76 cookies, 2 System - Temporary Files, 7 System - Windows Log Files, and 15 Multimedia - Adobe Flash Player files. I reset CCleaner to defaults, sat for 5 minutes, and hit the CCleaner Analyze button: 2,260 KB in 226 IE Temp Internet Files, and 9 cookies. 10 minutes later, 7,514KB in 565 IE Temp Internet files, 43 cookies, 2 Flash files. You get the idea.

So I go to look at these Temp IE files and Windows Explorer does not show a C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files directory, despite my having set options to display system folder contents, and to show hidden files and folders. So I chose to get to the folder via, IE8>Tools>Internet Options>Settings button in Browsing history>View files button. Refresh shows there's new files every minute or so. It looks like someone is surfing using my laptop, yet it is just sitting here untouched. There are alot of small KB JPG files. They only display the default JPG icon ion thumbnail view. When I tried to open one I get an Internet Explorer message: "Running a system command on this item might be unsafe. Do you wish to continue?" I hit no. I scan the Temporary Internet Files directory and SEP finds nothing. I close Win Explorer and get a message that Win Explorer has encountered a problem and needs to close. etc. For more info Click Here. It does not give me the usual button to send an error report. Click Here's error signature has APPName: explorer.exe, AppVer: 6.0.2900.5512, ModName: shlwapi.dll, ModVer:6.0.2900.5912, Offset: 00008434. There's a Click Here for tech info about the report in an appcompat.txt.

Next I shut the Hardware Radio Switch off at 2:40AM. So my state is no WiFi internet, NIC active, and no CAT5 connected. I have one last cookie at 2:40AM, but the next nine most recent files over six minutes are files with internet files with Internet Address res://ieframe.dll/<filename>, where filename is for example httpErrorPagesScripts.js. The Last Accessed date and time stamp for these 9 files updates every few minutes.

Some side info: (1) I have the OEM CD’s. It'd be really easy for me to start over. However, this 'no data / low risk' environment provides an excellent learning experience as also I need to tackle the two aforementioned misbehaving desktops which basically contain my and my wife's life. (2) This is my daughter’s laptop. I bought it used for her for college. I have had the D620 for three days. Since my daughter's school has been in session two days already I am on borrowed time to do my virus removal learning on the laptop. I wanted to let you know in case my daughter needs this for school and I need to cut bait and just reinstall the OS and drivers. However, I feel the problem will re-occur as it seems likely related to my router, to which all three of my computers are connected so I really want to stick in and solve this. My daughter is wonderfully patient, which makes me want to help her as much as I can.

I am sorry this is very long. I would appreciate comments aimed at helping me improve my write ups. I want this to be what's best for my helpers. I've read the many pages of good instruction and looked for examples, but feedback on how to make things easiest for you would be great.

Thanks to every potential helping BC member who reads this. Especially thank you to the person who picks this up for being willing to try helping. It’s awesome that there are people like you. It makes up for the people who hijack PC’s.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 20:42:15 on 2011-09-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1228 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Documents and Settings\Owner\Application Data\Sun\SunUpdate\Sunupdt32.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: {0ce1709a-70db-42c1-94ba-3e2050aa3978} - c:\windows\system32\wscui32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SunUpdate] c:\documents and settings\owner\application data\sun\sunupdate\Sunupdt32.exe
uRun: [IntelBackupBackup] rundll32.exe "c:\documents and settings\all users\application data\IntelBackupBackup.dll",DllRegisterServer
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
TCP: Interfaces\{C6D35515-D022-41D6-A67F-1F22A1B50683} : DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-9-7 108456]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-9-7 108456]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-9-7 1839888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-9-6 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110907.024\NAVENG.SYS [2011-9-8 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110907.024\NAVEX15.SYS [2011-9-8 1576312]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-6 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-11-4 23888]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2010-6-29 69692]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-6 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-10 04:55:53 -------- d-----w- c:\program files\CCleaner
2011-09-08 02:31:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-09-08 02:28:18 -------- d-----w- c:\windows\ShellNew
2011-09-08 02:15:03 -------- d-----w- c:\program files\PrintKey2000
2011-09-07 06:00:35 0 ---ha-w- c:\documents and settings\owner\sysareobuc.tmp
2011-09-07 05:31:18 355328 ----a-w- c:\windows\system32\wscui32.dll
2011-09-07 05:31:17 184832 ----a-w- c:\documents and settings\all users\application data\IntelBackupBackup.dll
2011-09-07 04:46:56 87456 ----a-w- c:\windows\system32\FwsVpn.dll
2011-09-07 04:46:56 107936 ----a-w- c:\windows\system32\SymVPN.dll
2011-09-07 04:46:55 43768 ----a-w- c:\windows\system32\drivers\srtspx.sys
2011-09-07 04:46:55 321016 ----a-w- c:\windows\system32\drivers\srtspl.sys
2011-09-07 04:46:55 287352 ----a-w- c:\windows\system32\drivers\srtsp.sys
2011-09-07 00:41:15 -------- d-----w- c:\documents and settings\owner\local settings\application data\Symantec
2011-09-07 00:39:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-07 00:39:26 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-07 00:38:53 -------- d-----w- c:\program files\Symantec
2011-09-07 00:38:53 -------- d-----w- c:\program files\common files\Symantec Shared
2011-09-07 00:38:53 -------- d-----w- c:\documents and settings\all users\application data\Symantec
2011-09-06 23:24:33 -------- d-----w- c:\windows\system32\Adobe
2011-09-06 23:21:00 -------- d-----w- c:\documents and settings\owner\local settings\application data\Temp
2011-09-06 23:17:21 -------- d-----w- c:\documents and settings\owner\local settings\application data\Adobe
2011-09-06 23:16:50 -------- d-----w- c:\documents and settings\owner\local settings\application data\Google
2011-08-22 20:38:22 -------- d-----w- c:\windows\system32\appmgmt
2011-08-22 20:34:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-22 18:00:08 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-08-22 18:00:08 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-08-22 18:00:00 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-08-22 18:00:00 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-08-22 17:59:56 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-08-22 17:59:56 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-08-22 17:59:48 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-08-22 17:59:48 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
==================== Find3M ====================
.
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 20:42:41.57 ===============

Attached Files


Edited by Steve23, 10 September 2011 - 11:37 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 17 September 2011 - 09:14 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
===

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post the logs and let me know what problem persists.

#3 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:11:30 AM

Posted 17 September 2011 - 12:31 PM

nasdaq,

Thank you for helping me.

Appended:
aswMBR.txt log
TDSSKiller log
MBAM log

Attached:
MBR.dat zip Attached File  MBR.zip   499bytes   0 downloads

Apparently coincident with the aswMBR.exe download, a 0 byte hidden file named sysarebuc.tmp appeared on the desktop. I mentioned in my initial write up that I have seen this file before and I believe it may be related to the malware problem.

Reboot requested by MBAM. I rebooted.

The conspicuous file download request I wrote about still occurred upon re-start, as it has done since the malware problem began:
File Download message: Do you want to open or save this file? Name: dmkwaprxj.png, Type: MS Photo Ed, From: C:\Doc&Setting\Owner\Local Se…

I chose cancel and posted to the forum.

Regards,

Steve

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-17 12:41:44
-----------------------------
12:41:44.562 OS Version: Windows 5.1.2600 Service Pack 3
12:41:44.562 Number of processors: 2 586 0xF06
12:41:44.562 ComputerName: OWNER-634657A0E UserName: Owner
12:41:45.281 Initialize success
12:45:28.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:45:28.078 Disk 0 Vendor: SAMSUNG_HM160JI AD100-12 Size: 152627MB BusType: 3
12:45:30.093 Disk 0 MBR read successfully
12:45:30.093 Disk 0 MBR scan
12:45:30.093 Disk 0 Windows XP default MBR code
12:45:30.093 Disk 0 scanning sectors +312576705
12:45:30.171 Disk 0 scanning C:\WINDOWS\system32\drivers
12:45:35.468 Service scanning
12:45:36.531 Modules scanning
12:45:55.703 Disk 0 trace - called modules:
12:45:55.718 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:45:55.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89ddbab8]
12:45:55.718 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000007f[0x89e3ff18]
12:45:55.718 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89dde940]
12:45:55.718 Scan finished successfully
12:45:59.250 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
12:45:59.265 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

_______________________________


2011/09/17 12:48:28.0812 1664 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17
2011/09/17 12:48:29.0187 1664 ================================================================================
2011/09/17 12:48:29.0187 1664 SystemInfo:
2011/09/17 12:48:29.0187 1664
2011/09/17 12:48:29.0187 1664 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/17 12:48:29.0187 1664 Product type: Workstation
2011/09/17 12:48:29.0187 1664 ComputerName: OWNER-634657A0E
2011/09/17 12:48:29.0187 1664 UserName: Owner
2011/09/17 12:48:29.0187 1664 Windows directory: C:\WINDOWS
2011/09/17 12:48:29.0187 1664 System windows directory: C:\WINDOWS
2011/09/17 12:48:29.0187 1664 Processor architecture: Intel x86
2011/09/17 12:48:29.0187 1664 Number of processors: 2
2011/09/17 12:48:29.0187 1664 Page size: 0x1000
2011/09/17 12:48:29.0187 1664 Boot type: Normal boot
2011/09/17 12:48:29.0187 1664 ================================================================================
2011/09/17 12:48:30.0781 1664 Initialize success
2011/09/17 12:48:47.0890 2060 ================================================================================
2011/09/17 12:48:47.0890 2060 Scan started
2011/09/17 12:48:47.0890 2060 Mode: Manual;
2011/09/17 12:48:47.0890 2060 ================================================================================
2011/09/17 12:48:48.0437 2060 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/17 12:48:48.0484 2060 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/17 12:48:48.0562 2060 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/17 12:48:48.0609 2060 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/17 12:48:48.0765 2060 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/09/17 12:48:48.0812 2060 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/09/17 12:48:48.0937 2060 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/17 12:48:48.0968 2060 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/17 12:48:49.0000 2060 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/17 12:48:49.0046 2060 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/17 12:48:49.0093 2060 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/09/17 12:48:49.0156 2060 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/17 12:48:49.0218 2060 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/09/17 12:48:49.0234 2060 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/09/17 12:48:49.0281 2060 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/09/17 12:48:49.0328 2060 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/09/17 12:48:49.0343 2060 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/17 12:48:49.0390 2060 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/17 12:48:49.0406 2060 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/17 12:48:49.0453 2060 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/17 12:48:49.0531 2060 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/17 12:48:49.0593 2060 COH_Mon (a02dc932f3806d29b39ef3114ce00405) C:\WINDOWS\system32\Drivers\COH_Mon.sys
2011/09/17 12:48:49.0609 2060 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/17 12:48:49.0703 2060 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/17 12:48:49.0765 2060 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
2011/09/17 12:48:49.0781 2060 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
2011/09/17 12:48:49.0796 2060 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/09/17 12:48:49.0812 2060 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
2011/09/17 12:48:49.0843 2060 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
2011/09/17 12:48:49.0859 2060 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
2011/09/17 12:48:49.0875 2060 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
2011/09/17 12:48:49.0890 2060 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2011/09/17 12:48:49.0906 2060 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
2011/09/17 12:48:49.0921 2060 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
2011/09/17 12:48:50.0000 2060 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/17 12:48:50.0046 2060 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/17 12:48:50.0062 2060 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/17 12:48:50.0125 2060 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/17 12:48:50.0156 2060 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/17 12:48:50.0187 2060 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/09/17 12:48:50.0203 2060 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/09/17 12:48:50.0312 2060 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/09/17 12:48:50.0375 2060 el575nd5 (23f6b9cf432f492ebbd8105d78cb008c) C:\WINDOWS\system32\DRIVERS\el575nd5.sys
2011/09/17 12:48:50.0406 2060 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/09/17 12:48:50.0468 2060 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/17 12:48:50.0515 2060 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/17 12:48:50.0531 2060 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/17 12:48:50.0546 2060 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/17 12:48:50.0578 2060 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/17 12:48:50.0625 2060 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/17 12:48:50.0640 2060 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/17 12:48:50.0671 2060 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/17 12:48:50.0718 2060 guardian2 (c0bdab85f3e8b2138c513255e2bcc4d8) C:\WINDOWS\system32\Drivers\oz776.sys
2011/09/17 12:48:50.0781 2060 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/17 12:48:50.0828 2060 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/17 12:48:50.0937 2060 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
2011/09/17 12:48:50.0968 2060 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
2011/09/17 12:48:51.0031 2060 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/17 12:48:51.0125 2060 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/17 12:48:51.0375 2060 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/09/17 12:48:51.0609 2060 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/17 12:48:51.0703 2060 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/17 12:48:51.0734 2060 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/17 12:48:51.0765 2060 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/17 12:48:51.0781 2060 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/17 12:48:51.0828 2060 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/17 12:48:51.0859 2060 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/17 12:48:51.0906 2060 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/17 12:48:51.0953 2060 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/17 12:48:51.0984 2060 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/17 12:48:52.0000 2060 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/17 12:48:52.0046 2060 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/17 12:48:52.0062 2060 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/17 12:48:52.0156 2060 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/09/17 12:48:52.0187 2060 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/17 12:48:52.0218 2060 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/17 12:48:52.0250 2060 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/17 12:48:52.0281 2060 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/17 12:48:52.0296 2060 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/17 12:48:52.0343 2060 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/17 12:48:52.0406 2060 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/17 12:48:52.0453 2060 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/17 12:48:52.0484 2060 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/17 12:48:52.0500 2060 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/17 12:48:52.0515 2060 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/17 12:48:52.0562 2060 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/17 12:48:52.0609 2060 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/17 12:48:52.0703 2060 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110907.024\NAVENG.SYS
2011/09/17 12:48:52.0781 2060 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110907.024\NAVEX15.SYS
2011/09/17 12:48:52.0843 2060 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/17 12:48:52.0906 2060 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/17 12:48:52.0953 2060 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/17 12:48:52.0968 2060 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/17 12:48:53.0015 2060 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/17 12:48:53.0031 2060 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/17 12:48:53.0062 2060 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/17 12:48:53.0281 2060 NETw5x32 (aa88346ab7849a1cb34bd3424febfece) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/09/17 12:48:53.0390 2060 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/17 12:48:53.0453 2060 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/17 12:48:53.0515 2060 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/17 12:48:53.0593 2060 NWADI (9edf6fd48a9eb4afdf225eb9c5111df6) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
2011/09/17 12:48:53.0640 2060 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/17 12:48:53.0656 2060 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/17 12:48:53.0687 2060 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/09/17 12:48:53.0703 2060 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/17 12:48:53.0750 2060 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/17 12:48:53.0781 2060 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
2011/09/17 12:48:53.0812 2060 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/17 12:48:53.0843 2060 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/17 12:48:53.0875 2060 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/09/17 12:48:54.0031 2060 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/17 12:48:54.0046 2060 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/17 12:48:54.0062 2060 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/17 12:48:54.0093 2060 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/17 12:48:54.0203 2060 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/17 12:48:54.0234 2060 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/17 12:48:54.0250 2060 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/17 12:48:54.0281 2060 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/17 12:48:54.0312 2060 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/17 12:48:54.0328 2060 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/17 12:48:54.0390 2060 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/17 12:48:54.0437 2060 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/17 12:48:54.0468 2060 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/17 12:48:54.0531 2060 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/09/17 12:48:54.0609 2060 s24trans (87940243ea2ad3ebe274f5409c5e9072) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/09/17 12:48:54.0640 2060 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/17 12:48:54.0671 2060 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/17 12:48:54.0687 2060 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/17 12:48:54.0718 2060 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/17 12:48:54.0843 2060 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/09/17 12:48:54.0875 2060 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/17 12:48:54.0921 2060 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/17 12:48:54.0968 2060 SRTSP (14389e87d0d2e25b12bf2cc74cfaee07) C:\WINDOWS\system32\Drivers\SRTSP.SYS
2011/09/17 12:48:55.0031 2060 SRTSPL (aed0f68c185fe698a21cefcd76f0b8a4) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
2011/09/17 12:48:55.0062 2060 SRTSPX (0e2ca6326726477fe29863808bbad413) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
2011/09/17 12:48:55.0093 2060 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/17 12:48:55.0187 2060 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2011/09/17 12:48:55.0265 2060 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/17 12:48:55.0281 2060 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/17 12:48:55.0390 2060 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/09/17 12:48:55.0437 2060 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/09/17 12:48:55.0468 2060 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/09/17 12:48:55.0531 2060 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/17 12:48:55.0593 2060 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/17 12:48:55.0656 2060 TcUsb (5ca437a08509fb7ecf843480fc1232e2) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/09/17 12:48:55.0687 2060 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/17 12:48:55.0703 2060 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/17 12:48:55.0750 2060 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/17 12:48:55.0828 2060 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/17 12:48:55.0921 2060 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/17 12:48:55.0968 2060 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/17 12:48:56.0015 2060 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/17 12:48:56.0062 2060 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/17 12:48:56.0109 2060 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/17 12:48:56.0140 2060 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/17 12:48:56.0187 2060 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/17 12:48:56.0234 2060 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/17 12:48:56.0281 2060 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/17 12:48:56.0343 2060 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/17 12:48:56.0421 2060 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2011/09/17 12:48:56.0500 2060 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/09/17 12:48:56.0593 2060 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/17 12:48:56.0609 2060 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/17 12:48:56.0656 2060 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/17 12:48:56.0859 2060 Boot (0x1200) (c0a084ea883628bfc0d69745237b48b9) \Device\Harddisk0\DR0\Partition0
2011/09/17 12:48:56.0859 2060 ================================================================================
2011/09/17 12:48:56.0859 2060 Scan finished
2011/09/17 12:48:56.0859 2060 ================================================================================
2011/09/17 12:48:56.0875 2128 Detected object count: 0
2011/09/17 12:48:56.0875 2128 Actual detected object count: 0

_______________________________


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7734

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/17/2011 1:03:45 PM
mbam-log-2011-09-17 (13-03-45).txt

Scan type: Quick scan
Objects scanned: 156922
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\wscui32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0CE1709A-70DB-42C1-94BA-3E2050AA3978} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CE1709A-70DB-42C1-94BA-3E2050AA3978} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0CE1709A-70DB-42C1-94BA-3E2050AA3978} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0CE1709A-70DB-42C1-94BA-3E2050AA3978} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\wscui32.dll (Trojan.Agent) -> Delete on reboot.

**END OF POST BY STEVE 23**

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 17 September 2011 - 01:11 PM

Good work.

Lets continue.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

#5 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:11:30 AM

Posted 17 September 2011 - 02:20 PM

AComboFix 11-09-17.02 - Owner 09/17/2011 15:14:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1259 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\IntelBackupBackup.dll
c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Owner\sysareobuc.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-08-17 to 2011-09-17 )))))))))))))))))))))))))))))))
.
.
2011-09-17 16:58 . 2011-09-17 16:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-09-17 16:58 . 2011-09-17 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-17 16:58 . 2011-09-17 16:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-17 16:58 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-10 19:04 . 2011-09-10 19:04 -------- d-----w- c:\program files\QuickTime
2011-09-10 04:55 . 2011-09-11 03:24 -------- d-----w- c:\program files\CCleaner
2011-09-08 02:31 . 2011-09-08 02:31 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-09-08 02:28 . 2011-09-08 02:30 -------- d-----w- c:\windows\ShellNew
2011-09-08 02:15 . 2011-09-08 02:15 -------- d-----w- c:\program files\PrintKey2000
2011-09-07 05:31 . 2011-09-07 05:31 -------- d-----w- c:\windows\Sun
2011-09-07 04:46 . 2011-09-07 04:46 87456 ----a-w- c:\windows\system32\FwsVpn.dll
2011-09-07 04:46 . 2011-09-07 04:46 107936 ----a-w- c:\windows\system32\SymVPN.dll
2011-09-07 04:46 . 2011-09-07 04:46 43768 ----a-w- c:\windows\system32\drivers\srtspx.sys
2011-09-07 04:46 . 2011-09-07 04:46 321016 ----a-w- c:\windows\system32\drivers\srtspl.sys
2011-09-07 04:46 . 2011-09-07 04:46 287352 ----a-w- c:\windows\system32\drivers\srtsp.sys
2011-09-07 00:41 . 2011-09-07 00:41 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Symantec
2011-09-07 00:39 . 2011-09-07 04:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-07 00:39 . 2011-09-07 04:50 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-07 00:38 . 2011-09-07 04:50 -------- d-----w- c:\program files\Symantec
2011-09-07 00:38 . 2011-09-07 04:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-09-07 00:38 . 2011-09-07 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2011-09-06 23:24 . 2011-09-06 23:24 -------- d-----w- c:\windows\system32\Adobe
2011-09-06 23:21 . 2011-09-06 23:28 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-09-06 23:21 . 2011-09-06 23:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-09-06 23:18 . 2011-09-06 23:18 -------- d-----w- c:\program files\Common Files\Adobe
2011-09-06 23:17 . 2011-09-06 23:28 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2011-09-06 23:16 . 2011-09-06 23:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-09-06 23:16 . 2011-09-07 13:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2011-09-06 23:16 . 2011-09-07 01:11 -------- d-----w- c:\program files\Google
2011-08-22 20:34 . 2011-09-06 23:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-22 18:00 . 2008-04-14 09:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-08-22 18:00 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-08-22 18:00 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-08-22 18:00 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-08-22 17:59 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-08-22 17:59 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-08-22 17:59 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-08-22 17:59 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-14 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2010-06-28 19:29 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunUpdate"="c:\documents and settings\Owner\Application Data\Sun\SunUpdate\Sunupdt32.exe" [2011-09-07 159232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-09-07 115624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-09-10 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2002-6-27 83360]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2011-9-7 869376]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/6/2011 11:44 PM 105592]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2011 7:16 PM 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/4/2010 9:48 AM 23888]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/29/2010 9:55 AM 69692]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2011 7:16 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-06 23:16]
.
2011-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-06 23:16]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-IntelBackupBackup - c:\documents and settings\All Users\Application Data\IntelBackupBackup.dll
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-17 15:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2011-09-17 15:18:26
ComboFix-quarantined-files.txt 2011-09-17 19:18
.
Pre-Run: 147,090,210,816 bytes free
Post-Run: 147,163,803,648 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 37335C79D242F6125684F75FE19A4413

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 17 September 2011 - 05:10 PM

LOOKING GOOD.

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Post the log and let me know what problem persists.

#7 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:11:30 AM

Posted 17 September 2011 - 06:29 PM

nasdaq,

Thank you for getting me this far. Appended is the Security Check log.

A few points if you please:
1) File Download message: Do you want to open or save this file? Name: bsbsyncvp.png (or similar name) --- just happened again.
2) It seems some of my settings got reset, notably the laptop's touch pad configuration have been changed. Is this normal following the procedures performed?
3) In your comment about updates and infiltration did you have in mind some specific third party programs of mine?
4) I have two other PC's on a router for a three PC home network. They appear to have misbehavior, but not identical to the concerns of this thread. Could the PC's on the network pass around infection? If so, how would you propose dealing with the other two PC's. If it is too early to ask this question, I will bring it up again later.

Thanks again,

Steve

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 20
Out of date Java installed!
Adobe Flash Player
Adobe Reader X (10.1.0)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 18 September 2011 - 08:00 AM

It's possible that your router is infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html
===

File Download message: Do you want to open or save this file? Name: bsbsyncvp.png


Let see if the any or the .pgn files exist.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    *.png

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===

3) In your comment about updates and infiltration did you have in mind some specific third party programs of mine?


The programs reported by the tool.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 20

===


Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

===

An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android.Adobe recommends... update to Adobe Flash Player 10.3.181.22

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.

Download for Internet Explorer

Download for Firefox and other browsers
<<<>>>

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

===

We will deal with the other two computer after the router and this PC is clean.

#9 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:11:30 AM

Posted 18 September 2011 - 02:42 PM

nasdaq,

Appended Logs:
- ESET OnlineScan

In next post (because BC said this one was too long)
- SystemLook.txt

Thanks for all the really _great_ ideas! I learned alot while implementing them. I apologize that this has taken me a few hours to complete.

As mentioned in my initial post, I did a router reset last week, per http://www.bleepingcomputer.com/forums/topic418146.html, but I did it again this morning according to the method you specified.

Thank you for the reference to How to Secure Your Wireless Router. I followed this, per your instruction. In additon to WPA/WPA2-Personal(PSK) WPA2-PSK AES passworded security, I limited the IP Pool and blocked ICMP Pings. I’d like to disable SSID broadcast, but it seems the laptop will not auto-connect without the SSID being broadcast. Let’s just focus on the malware problem, unless this SSID-related auto-connectivity is somehow relevant. Also maybe related, or maybe just Dell, if I change the router configuration, the laptop needs to reboot to see the network again. It seems ‘hooked’ on the routers last settings, and the “Disable radio” software and hardware switches don’t reset the state to re-catch the new WiFi; but it auto-connects (provided SSID is broadcast) on cold boot or restart. I suspect it is just something in the Dell setup, but since we are talking about a potentially infected router, I mention it for your consideration.

Since, after the router reset, the laptop wireless gets ‘lost,’ I had to re-boot.

After the first reboot Adobe Reader updated via its own auto-download to 10.1.1 and requested a restart, which I did next. As usual, I got the *.png download request and cancelled it.

In changing back to my preferred router configuration I had to reboot a number of times. The sunupdt32.exe, mentioned in my initial post, is coming up each time and I need to click “End Now,” but the previously constant run32dll.exe, also mentioned in my initial post, does not come up for a forced close.

Upon each reboot, I still get the offer to download the *.png file. Once again, I hit cancel. However, one time I got a new download offer, which I also cancelled:
Posted Image

I then downloaded and ran SystemLook, per your suggestion. Since *.png is a standard image file format, it found quite a few. But as I mentioned in the initial post, the png file size offered in the download did not correspond to what would be appropriate for the image file size, based on the few times I did accept the download and open the image.

MS Photo always shows a 22px W x 15px H 24bit color French Flag at 1320 KB, which seems way too many KB’s given that I calculate based on size, color and header that this file should be only about 1 KB.


The JRE update completed. Java set for auto-update, as it was previously. Java 6 Update 20 was not present in Add / Remove Programs.

As to Adobe Flash version, your recommended minimum was 10.3.181.22. I was at 10.3.183.7, which is the latest version so I made no changes.

Ignore my previous question #2.

2) It seems some of my settings got reset, notably the laptop's touch pad configuration have been changed. Is this normal following the procedures performed?

The settings were all still in the configuration window and came back with full functionality upon opening then closing the mouse configuration window.

Regards,

Steve


C:\Documents and Settings\Owner\Application Data\Sun\SunUpdate\Sunupdt32.dll a variant of Win32/Kryptik.SSB trojan cleaned by deleting (after the next restart) - quarantined
C:\Documents and Settings\Owner\Application Data\Sun\SunUpdate\Sunupdt32.exe a variant of Win32/Kryptik.SSB trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\hdbfmimboapkccoppnemlneadgofialh\contentscript.js Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\temp\NOD166F.tmp a variant of Win32/Kryptik.SSB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\IntelBackupBackup.dll.vir a variant of Win32/Kryptik.SSB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{637C27D0-88F9-4F57-8ECA-C65B1B216BF7}\RP34\A0011606.dll a variant of Win32/Kryptik.SSB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{637C27D0-88F9-4F57-8ECA-C65B1B216BF7}\RP34\A0011607.exe a variant of Win32/Kryptik.SSB trojan cleaned by deleting - quarantined

#10 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:11:30 AM

Posted 18 September 2011 - 02:47 PM

nasdaq,

I tried posting SystemLook log by itself and the forum says it is still too large. It has 946 lines; about 174,000 characters; 343KB. What do you want me to do? I could save and attach one of the offered downloads, but there's some risk with that.

Note: PNG Portable Network Graphics file format info at http://libpng.org/pub/png/ but I'm sure you already knew that.

Steve

Edited by Steve23, 18 September 2011 - 09:56 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 19 September 2011 - 08:11 AM

You must have a lot of .png files that were found.

Let see what we can find about this bsbsyncvp.png (or similar name)

Next time you see the .png filename make a note of it.

If the file name ends with cvp.png bsbsyncvp.png

In the SystemLook box enter this

:filefind
*cvp.png

change the cvp for the string you know exists. Make sure your precede the string with an asterisk *

and make the search.

#12 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:11:30 AM

Posted 19 September 2011 - 12:24 PM

You must have a lot of .png files that were found.

Yes. It is a very common file format on the web, like jpg. Most of my found *.png’s are legitimate.

Let see what we can find about this bsbsyncvp.png (or similar name) Next time you see the .png filename make a note of it.

I will keep a running list. I have googled a couple of the names. They do not exist.

As I mentioned in my original post, I had a Vundo virus on my home desktop PC, which is a different PC than the laptop we are currently working on, but it is presently still on the same router. I was never fully confident that the technician I hired completely fixed my PC, so maybe Vundo has a remnant that is still operative in some morphed form and it just jumped to the laptop the moment it connected to the router WiFi.

During the infection on my desktop PC, the Vundo virus spoofed hidden *.dll’s always using a certain naming format: alternating consonants and vowels with eight characters total, i.e. pipibuju.dll. The *.png filenames also follow a specific format: it is always four consonants, one vowel, then four consonants. My concern is not only what is in the *.png, but why is it being offered for download. The download offer appears to be at least every restart. If I did not have ‘always ask to confirm download' enabled, these files would come in unobstructed.

I apologize if I keep repeating from my original note what you already must have read. It seems relevant to recall and to highlight certain parts of that previous detailed account. To continue then:
When I save the *.png to my desktop and scan it for viruses using Symantec Endpoint Protection, it comes up clean. If I can remember, I’ll try it with MalwareBytes. Do you want me to try others? The few times I opened it, MSPhoto shows that the image is a very small French flag, 24bit color, with an image size of 22px W x 15px H. If I calculate the bytes for that image: (24 bits x 22 pixels x 15 pixels) / (8000 bits/kilobyte) = 1.08 KB. In a normal, healthy *.png file, it is standard for there to be some additional bytes for the image header. The files I get vary in size but are roughly 1000 times too big, i.e. 1320 KB in once instance. This makes me think they are padded with something malicious. What do you think of this idea: I will try to save one and open it in Photoshop and see if I can copy out the header content, paste it to a text file, zip it and send it to you?

As soon as possible I will try to use a more specific SystemLook search syntax to see if I can find any suspicious *.pngs. As I said, I always get a prompt to save, allow or cancel the download. The times I allowed download, I saved it to the desktop, then inspected and subsequently deleted the file. I doubt I will find any suspicious *.pngs because other than those few manual download actions followed by deletions, I have always cancelled the rogue file download attempt. Finding the source that triggers the download would seem to be the issue.

Thanks for your continued help!

Regards,

Steve
P.S. So I can best help you, how's the detail level for you so far? Too much or too little?

Edited by Steve23, 19 September 2011 - 12:28 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 PM

Posted 19 September 2011 - 01:30 PM

The *.png filenames also follow a specific format: it is always four consonants, one vowel, then four consonants.


Then it should be able to get only a few of them.


:filefind
*the last four consonants.png



Some this like this.

:filefind
*axdm.png

===

I find it strange that the DDS and ComboFix logs are not reporting any of the newly created .png files.
Lets see what this tool will report.

Lets try this also.

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.


#14 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:11:30 AM

Posted 19 September 2011 - 02:54 PM

Then it should be able to get only a few of them.

nasdaq,
I am sorry I forgot to mention that the file names are random sqeuences of consonants and vowels, so I will not be able to concoct any search string. Also, I have not allowed a download of any of the png files, except for the two or three I already deleted. I understand you want me to find a downloaded *.png file, and perhaps to tell you where it is located. Is that correct? In order to do this, I would have to accept one of the offered downloads. Is that what you want me to do or is there another suggestion you have?

I find it strange that the DDS and ComboFix logs are not reporting any of the newly created .png files.

That is because before I first posted in this forum, I only saved three of the png's to examine them and then deleted then. Since then I have not saved any that have been offered for download. There should not be any on my system, which is why none are being found. Does that make sense?


Steve

Edited by Steve23, 19 September 2011 - 11:26 PM.


#15 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:11:30 AM

Posted 20 September 2011 - 12:01 AM

Appended:
  • OTL.Txt
  • Extras.Txt

The png download is no longer coming up!
It used to come up after re-boot and after coming out of sleep, but I have repeated each of these states twice and have not received the png download offer. The only thing that change since the last time I saw the png download is that I completed the JRE update.

As soon as possible I will try to use a more specific SystemLook search syntax to see if I can find any suspicious *.pngs.

I read all 946 lines of the SystemLook log and did not find any of the random sequences of consonant and vowel png filenames.

No longer having the png download offer means I cannot complete my two previous ideas:

If I can remember, I’ll try it (scan the png for viruses) with MalwareBytes.

and

I will try to save one and open it in Photoshop and see if I can copy out the header content, paste it to a text file, zip it and send it to you


I did go ahead and run OTL as you requested. Here are the logs.
OTL logfile created on: 9/20/2011 12:47:16 AM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.46 Gb Available Physical Memory | 73.45% Memory free
3.83 Gb Paging File | 3.49 Gb Available in Paging File | 91.02% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 136.59 Gb Free Space | 91.64% Space Free | Partition Type: NTFS

Computer Name: OWNER-634657A0E | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
PRC - C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\PrintKey2000\Printkey2000.exe (Fred's Software)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Intel\WiFi\bin\iWMSProv.dll ()
MOD - C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\dlaapi_w.dll ()
MOD - C:\Program Files\Dell\QuickSet\dadkeyb.dll ()


========== Win32 Services (SafeList) ==========

SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (SmcService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SRV - (SNAC) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE (Symantec Corporation)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
SRV - (WLANKEEPER) Intel® -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe (Intel® Corporation)
SRV - (S24EventMonitor) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
SRV - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
SRV - (NICCONFIGSVC) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)


========== Driver Services (SafeList) ==========

DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110907.024\NAVEX15.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110907.024\NAVENG.SYS (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (COH_Mon) -- C:\WINDOWS\system32\drivers\COH_Mon.sys (Symantec Corporation)
DRV - (NETw5x32) Intel® -- C:\WINDOWS\system32\drivers\NETw5x32.sys (Intel Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (guardian2) -- C:\WINDOWS\system32\drivers\oz776.sys (O2Micro)
DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio)
DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio)
DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)
DRV - (DLACDBHM) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Roxio)
DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (PCASp50) -- C:\WINDOWS\system32\drivers\PCASp50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (el575nd5) -- C:\WINDOWS\system32\drivers\el575ND5.sys (3Com Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9A 70 E1 0C DB 70 C1 42 94 BA 3E 20 50 AA 39 78 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



========== Chrome ==========

CHR - default_search_provider: ()
CHR - default_search_provider: search_url =
CHR - default_search_provider: suggest_url =

O1 HOSTS File: ([2011/09/17 15:17:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C6D35515-D022-41D6-A67F-1F22A1B50683}: DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/28 15:34:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/20 00:45:14 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/09/18 14:39:47 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/09/18 13:44:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/09/18 13:44:24 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/09/18 13:44:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/09/18 13:44:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/09/18 13:44:24 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/09/18 13:44:06 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/09/18 13:27:14 | 016,897,824 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Owner\Desktop\jre-6u27-windows-i586.exe
[2011/09/18 13:05:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/09/17 15:13:35 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/09/17 15:12:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/09/17 15:12:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/09/17 15:12:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/09/17 15:12:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/09/17 15:12:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/09/17 15:12:03 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/09/17 15:11:59 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/17 15:11:14 | 004,214,521 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2011/09/17 12:58:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2011/09/17 12:58:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/17 12:58:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/17 12:58:33 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/17 12:58:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/17 12:56:31 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup-1.51.2.1300.exe
[2011/09/17 12:47:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\tdsskiller
[2011/09/17 12:41:14 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2011/09/11 01:08:52 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2011/09/10 20:28:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads
[2011/09/10 15:04:47 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/09/10 00:55:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/09/10 00:55:53 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/09/07 23:32:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\My Received Files
[2011/09/07 22:31:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office Tools
[2011/09/07 22:31:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft ActiveSync
[2011/09/07 22:30:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Designer
[2011/09/07 22:28:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\ShellNew
[2011/09/07 22:27:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2011/09/07 22:15:03 | 000,000,000 | ---D | C] -- C:\Program Files\PrintKey2000
[2011/09/07 22:15:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Programs\PrintKey2000
[2011/09/07 01:31:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2011/09/07 00:46:56 | 000,107,936 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll
[2011/09/07 00:46:56 | 000,087,456 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll
[2011/09/07 00:46:55 | 000,321,016 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtspl.sys
[2011/09/07 00:46:55 | 000,287,352 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtsp.sys
[2011/09/07 00:46:55 | 000,043,768 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtspx.sys
[2011/09/06 20:41:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec
[2011/09/06 20:39:26 | 000,125,488 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/09/06 20:39:26 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/09/06 20:39:08 | 000,511,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\capicom.dll
[2011/09/06 20:38:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/09/06 20:38:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection
[2011/09/06 20:38:53 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/09/06 20:38:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2011/09/06 19:24:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2011/09/06 19:23:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2011/09/06 19:21:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Temp
[2011/09/06 19:21:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/09/06 19:19:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Google
[2011/09/06 19:18:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/09/06 19:17:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2011/09/06 19:17:24 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/09/06 19:17:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe
[2011/09/06 19:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2011/09/06 19:16:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Google
[2011/09/06 19:16:37 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2011/09/06 19:16:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2011/08/22 16:38:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2011/08/22 16:34:37 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/22 14:00:08 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidserv.dll
[2011/08/22 14:00:00 | 000,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys
[2011/08/22 13:59:56 | 000,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdhid.sys
[2011/08/22 13:59:48 | 000,010,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidusb.sys
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/20 00:45:18 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/09/20 00:31:16 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/20 00:17:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/20 00:17:29 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/20 00:17:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/20 00:17:17 | 2137,120,768 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/18 13:44:09 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/09/18 13:44:09 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/09/18 13:44:09 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/09/18 13:44:09 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/09/18 13:44:09 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/09/18 13:27:14 | 016,897,824 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Owner\Desktop\jre-6u27-windows-i586.exe
[2011/09/18 13:06:07 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/09/18 12:53:36 | 000,064,775 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\New File Download.jpg
[2011/09/17 19:16:17 | 000,879,225 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
[2011/09/17 15:17:13 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/17 15:13:38 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/09/17 15:11:22 | 004,214,521 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2011/09/17 15:11:14 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\8bdbd82f
[2011/09/17 15:11:11 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\6b0627d0
[2011/09/17 12:58:37 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/17 12:56:35 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup-1.51.2.1300.exe
[2011/09/17 12:47:07 | 001,388,161 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2011/09/17 12:46:15 | 000,000,499 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.zip
[2011/09/17 12:45:59 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/09/17 12:41:15 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Owner\Desktop\aswMBR.exe
[2011/09/16 21:56:23 | 000,001,713 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\9c7e502a
[2011/09/16 21:20:55 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\e37e28d0
[2011/09/15 11:57:06 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/09/10 20:39:13 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/09/10 13:43:33 | 000,481,568 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/10 13:43:33 | 000,079,476 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/09 05:12:13 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2011/09/08 07:23:08 | 000,001,487 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2011/09/08 01:50:28 | 000,111,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/09/07 22:58:19 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Outlook.lnk
[2011/09/07 22:31:55 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2011/09/07 22:31:22 | 000,001,730 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2011/09/07 22:15:03 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
[2011/09/07 09:52:09 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/09/07 00:50:00 | 000,125,488 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/09/07 00:50:00 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/09/07 00:50:00 | 000,007,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/09/07 00:50:00 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/09/07 00:46:56 | 000,107,936 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll
[2011/09/07 00:46:56 | 000,087,456 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll
[2011/09/07 00:46:55 | 000,321,016 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtspl.sys
[2011/09/07 00:46:55 | 000,287,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtsp.sys
[2011/09/07 00:46:55 | 000,043,768 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtspx.sys
[2011/09/07 00:46:55 | 000,007,454 | ---- | M] () -- C:\WINDOWS\System32\drivers\srtspx.cat
[2011/09/07 00:46:55 | 000,007,454 | ---- | M] () -- C:\WINDOWS\System32\drivers\srtspl.cat
[2011/09/07 00:46:55 | 000,007,450 | ---- | M] () -- C:\WINDOWS\System32\drivers\srtsp.cat
[2011/09/07 00:46:55 | 000,001,430 | ---- | M] () -- C:\WINDOWS\System32\drivers\srtspl.inf
[2011/09/07 00:46:55 | 000,001,421 | ---- | M] () -- C:\WINDOWS\System32\drivers\srtspx.inf
[2011/09/07 00:46:55 | 000,001,415 | ---- | M] () -- C:\WINDOWS\System32\drivers\srtsp.inf
[2011/09/06 20:15:47 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/09/06 19:22:35 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/18 13:06:05 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/09/18 12:53:36 | 000,064,775 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\New File Download.jpg
[2011/09/17 19:16:13 | 000,879,225 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
[2011/09/17 15:13:38 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/09/17 15:13:35 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/09/17 15:12:09 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/09/17 15:12:09 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/09/17 15:12:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/09/17 15:12:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/09/17 15:12:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/09/17 12:58:37 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/17 12:47:07 | 001,388,161 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2011/09/17 12:46:15 | 000,000,499 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.zip
[2011/09/17 12:45:59 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/09/15 11:57:04 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/09/10 20:39:13 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/09/10 14:45:17 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\e37e28d0
[2011/09/07 22:58:15 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Outlook.lnk
[2011/09/07 22:31:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/09/07 22:31:22 | 000,002,489 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
[2011/09/07 22:31:22 | 000,002,487 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
[2011/09/07 22:31:22 | 000,002,046 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Outlook.lnk
[2011/09/07 22:31:22 | 000,002,002 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft PowerPoint.lnk
[2011/09/07 22:31:22 | 000,001,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2011/09/07 22:15:03 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
[2011/09/07 09:30:59 | 2137,120,768 | -HS- | C] () -- C:\hiberfil.sys
[2011/09/07 01:33:04 | 000,001,713 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\9c7e502a
[2011/09/07 01:33:01 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\8bdbd82f
[2011/09/07 01:31:49 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\6b0627d0
[2011/09/07 00:46:55 | 000,007,454 | ---- | C] () -- C:\WINDOWS\System32\drivers\srtspx.cat
[2011/09/07 00:46:55 | 000,007,454 | ---- | C] () -- C:\WINDOWS\System32\drivers\srtspl.cat
[2011/09/07 00:46:55 | 000,007,450 | ---- | C] () -- C:\WINDOWS\System32\drivers\srtsp.cat
[2011/09/07 00:46:55 | 000,001,430 | ---- | C] () -- C:\WINDOWS\System32\drivers\srtspl.inf
[2011/09/07 00:46:55 | 000,001,421 | ---- | C] () -- C:\WINDOWS\System32\drivers\srtspx.inf
[2011/09/07 00:46:55 | 000,001,415 | ---- | C] () -- C:\WINDOWS\System32\drivers\srtsp.inf
[2011/09/06 20:39:26 | 000,007,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/09/06 20:39:26 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/09/06 20:15:47 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/09/06 19:23:31 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/09/06 19:18:51 | 000,002,315 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/09/06 19:16:54 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/06 19:16:53 | 000,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/29 11:15:31 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/28 15:55:08 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2010/06/28 15:37:24 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/28 15:31:12 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/06/28 11:23:53 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/28 11:22:36 | 000,111,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 08:00:00 | 000,481,568 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 08:00:00 | 000,079,476 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/04/15 12:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/04/15 12:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

========== LOP Check ==========

[2010/06/28 16:29:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB
[2010/06/29 11:16:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\drivers\*.sys /90 >
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2011/07/15 09:29:31 | 000,456,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2011/07/08 10:02:00 | 000,010,496 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ndistapi.sys
[2011/06/24 10:10:36 | 000,139,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rdpwd.sys
[2011/09/07 00:46:55 | 000,287,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtsp.sys
[2011/09/07 00:46:55 | 000,321,016 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtspl.sys
[2011/09/07 00:46:55 | 000,043,768 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtspx.sys
[2011/09/07 00:50:00 | 000,125,488 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS

< %systemroot%\*. /mp /s >

< c:\$recycle.bin\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-09-15 15:58:41


< MD5 for: AGP440.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: AUTOCHK.EXE >
[2008/04/14 08:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\cmdcons\autochk.exe
[2008/04/14 08:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\system32\autochk.exe
[2008/04/14 08:00:00 | 000,588,800 | ---- | M] (Microsoft Corporation) MD5=23043C91A0F9DFB4B9E9F87B680863B4 -- C:\WINDOWS\system32\dllcache\autochk.exe

< MD5 for: BEEP.SYS >
[2008/04/14 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\ERDNT\cache\beep.sys
[2008/04/14 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\dllcache\beep.sys
[2008/04/14 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: IASTOR.SYS >
[2008/07/21 01:44:44 | 000,324,120 | ---- | M] (Intel Corporation) MD5=707C1692214B1C290271067197F075F6 -- C:\WINDOWS\Dell\Intel\IaStor.sys

< MD5 for: KERNEL32.DLL >
[2009/03/21 10:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\ERDNT\cache\kernel32.dll
[2009/03/21 10:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\system32\dllcache\kernel32.dll
[2009/03/21 10:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=B921FB870C9AC0D509B2CCABBBBE95F3 -- C:\WINDOWS\system32\kernel32.dll
[2008/04/14 08:00:00 | 000,989,696 | ---- | M] (Microsoft Corporation) MD5=C24B983D211C34DA8FCC1AC38477971D -- C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll
[2009/03/21 09:59:23 | 000,991,744 | ---- | M] (Microsoft Corporation) MD5=DA11D9D6ECBDF0F93436A4B7C13F7BEC -- C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll

< MD5 for: MSWSOCK.DLL >
[2008/06/20 13:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=832E4DD8964AB7ACC880B2837CB1ED20 -- C:\WINDOWS\$NtUninstallKB2509553$\mswsock.dll
[2008/06/20 12:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\ERDNT\cache\mswsock.dll
[2008/06/20 12:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\dllcache\mswsock.dll
[2008/06/20 12:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=943337D786A56729263071623BBB9DE5 -- C:\WINDOWS\system32\mswsock.dll
[2008/04/14 08:00:00 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=B4138E99236F0F57D4CF49BAE98A0746 -- C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll
[2008/06/20 13:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\mswsock.dll
[2008/06/20 13:43:05 | 000,245,248 | ---- | M] (Microsoft Corporation) MD5=FCEE5FCB99F7C724593365C706D28388 -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll

< MD5 for: NDIS.SYS >
[2008/04/14 08:00:00 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ERDNT\cache\ndis.sys
[2008/04/14 08:00:00 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\system32\dllcache\ndis.sys
[2008/04/14 08:00:00 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\system32\drivers\ndis.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NTFS.SYS >
[2008/04/14 08:00:00 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\ERDNT\cache\ntfs.sys
[2008/04/14 08:00:00 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\system32\dllcache\ntfs.sys
[2008/04/14 08:00:00 | 000,574,976 | ---- | M] (Microsoft Corporation) MD5=78A08DD6A8D65E697C18E1DB01C5CDCA -- C:\WINDOWS\system32\drivers\ntfs.sys
[2004/08/03 23:15:10 | 000,574,592 | ---- | M] (Microsoft Corporation) MD5=B78BE402C3F63DD55521F73876951CDD -- C:\cmdcons\NTFS.SYS

< MD5 for: NTMSSVC.DLL >
[2008/04/14 08:00:00 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\ERDNT\cache\ntmssvc.dll
[2008/04/14 08:00:00 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\system32\dllcache\ntmssvc.dll
[2008/04/14 08:00:00 | 000,435,200 | ---- | M] (Microsoft Corporation) MD5=156F64A3345BD23C600655FB4D10BC08 -- C:\WINDOWS\system32\ntmssvc.dll

< MD5 for: NVGTS.SYS >
[2008/01/21 14:15:22 | 000,102,400 | ---- | M] (NVIDIA Corporation) MD5=A0B3F3A5049931657164F0FFCF0B208E -- C:\WINDOWS\Dell\NVidia\nvgts.sys

< MD5 for: PROQUOTA.EXE >
[2008/04/14 08:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\dllcache\proquota.exe
[2008/04/14 08:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\proquota.exe

< MD5 for: QMGR.DLL >
[2008/04/14 08:00:00 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ERDNT\cache\qmgr.dll
[2008/04/14 08:00:00 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\dllcache\qmgr.dll
[2008/04/14 08:00:00 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\qmgr.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SFCFILES.DLL >
[2008/04/14 08:00:00 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\ERDNT\cache\sfcfiles.dll
[2008/04/14 08:00:00 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\system32\dllcache\sfcfiles.dll
[2008/04/14 08:00:00 | 001,614,848 | ---- | M] (Microsoft Corporation) MD5=9DD07AF82244867CA36681EA2D29CE79 -- C:\WINDOWS\system32\sfcfiles.dll

< MD5 for: SPOOLSV.EXE >
[2010/08/17 09:19:36 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=258DD5D4283FD9F9A7166BE9AE45CE73 -- C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[2010/08/17 09:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=60784F891563FB1B767F70117FC2428F -- C:\WINDOWS\ERDNT\cache\spoolsv.exe
[2010/08/17 09:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=60784F891563FB1B767F70117FC2428F -- C:\WINDOWS\system32\dllcache\spoolsv.exe
[2010/08/17 09:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) MD5=60784F891563FB1B767F70117FC2428F -- C:\WINDOWS\system32\spoolsv.exe
[2008/04/14 08:00:00 | 000,057,856 | ---- | M] (Microsoft Corporation) MD5=D8E14A61ACC1D4A6CD0D38AEBAC7FA3B -- C:\WINDOWS\$NtUninstallKB2347290$\spoolsv.exe

< MD5 for: SRSVC.DLL >
[2008/04/14 08:00:00 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\ERDNT\cache\srsvc.dll
[2008/04/14 08:00:00 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\system32\dllcache\srsvc.dll
[2008/04/14 08:00:00 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\system32\srsvc.dll

< MD5 for: SVCHOST.EXE >
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: TERMSRV.DLL >
[2008/04/14 08:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\ERDNT\cache\termsrv.dll
[2008/04/14 08:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\system32\dllcache\termsrv.dll
[2008/04/14 08:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) MD5=FF3477C03BE7201C294C35F684B3479F -- C:\WINDOWS\system32\termsrv.dll

< MD5 for: USERINIT.EXE >
[2008/04/14 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: XMLPROV.DLL >
[2008/04/14 08:00:00 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\ERDNT\cache\xmlprov.dll
[2008/04/14 08:00:00 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\system32\dllcache\xmlprov.dll
[2008/04/14 08:00:00 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=295D21F14C335B53CB8154E5B1F892B9 -- C:\WINDOWS\system32\xmlprov.dll

< End of report >

OTL Extras logfile created on: 9/20/2011 12:47:16 AM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.46 Gb Available Physical Memory | 73.45% Memory free
3.83 Gb Paging File | 3.49 Gb Available in Paging File | 91.02% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 136.59 Gb Free Space | 91.64% Space Free | Partition Type: NTFS

Computer Name: OWNER-634657A0E | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{26A24AE4-039D-4CA4-87B4-2F83216027FF}" = Java™ 6 Update 27
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52A7C6A6-6B88-47D1-922E-9F8A7E089E6A}" = Intel® PROSet/Wireless WiFi Software
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{8E7D7400-4F4F-409D-8F8A-43BF1DAC575A}" = TouchChip USB Driver 2.6
"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAE221D5-C3DD-4FE2-A063-C1368FE730A5}" = Symantec Endpoint Protection
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EDC2B89F-3F72-48EA-B63E-985BC51622E4}" = OZ776 SCR Driver V1.1.4.202
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"ESET Online Scanner" = ESET Online Scanner v3
"Google Chrome" = Google Chrome
"HDMI" = Intel® Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"InstallShield_{EDC2B89F-3F72-48EA-B63E-985BC51622E4}" = OZ776 SCR Driver V1.1.4.202
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PrintKey2000" = PrintKey2000
"ProInst" = Intel PROSet Wireless
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/6/2011 8:41:36 PM | Computer Name = OWNER-634657A0E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/6/2011 8:52:27 PM | Computer Name = OWNER-634657A0E | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 9/6/2011 8:54:08 PM | Computer Name = OWNER-634657A0E | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 9/6/2011 8:54:24 PM | Computer Name = OWNER-634657A0E | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 9/6/2011 8:54:39 PM | Computer Name = OWNER-634657A0E | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

Error - 9/6/2011 11:28:14 PM | Computer Name = OWNER-634657A0E | Source = Symantec AntiVirus | ID = 16711754
Description = TruScan has generated an error: code 11: description: Whitelist Failure

Error - 9/8/2011 8:40:48 AM | Computer Name = OWNER-634657A0E | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Tracking Cookies in File: Cookie:owner@content.yieldmanager.com/
by: Manual scan. Action: Quarantine failed : Leave Alone failed. Action Description:
The file was deleted successfully.

Error - 9/10/2011 2:32:43 AM | Computer Name = OWNER-634657A0E | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module shlwapi.dll, version 6.0.2900.5912, fault address 0x00008434.

Error - 9/17/2011 12:48:20 PM | Computer Name = OWNER-634657A0E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 9/17/2011 12:48:20 PM | Computer Name = OWNER-634657A0E | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

[ System Events ]
Error - 9/6/2011 9:04:15 PM | Computer Name = OWNER-634657A0E | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 9/6/2011 9:04:15 PM | Computer Name = OWNER-634657A0E | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 30 minutes. NtpClient has no source of accurate
time.

Error - 9/6/2011 9:05:13 PM | Computer Name = OWNER-634657A0E | Source = PSched | ID = 14103
Description = QoS [Adapter {C6D35515-D022-41D6-A67F-1F22A1B50683}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 9/6/2011 9:05:14 PM | Computer Name = OWNER-634657A0E | Source = NETw5x32 | ID = 262187
Description =

Error - 9/6/2011 9:05:14 PM | Computer Name = OWNER-634657A0E | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 9/6/2011 9:05:14 PM | Computer Name = OWNER-634657A0E | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 9/6/2011 9:12:05 PM | Computer Name = OWNER-634657A0E | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Activation
permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 9/6/2011 9:12:10 PM | Computer Name = OWNER-634657A0E | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 9/6/2011 9:12:10 PM | Computer Name = OWNER-634657A0E | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 9/6/2011 9:12:10 PM | Computer Name = OWNER-634657A0E | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.


< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users