Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TLD4@MBR, constant url requests


  • This topic is locked This topic is locked
29 replies to this topic

#1 AFierceThomas

AFierceThomas

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 13 October 2011 - 08:39 AM

I've got an aging XP machine that I'm trying to clean out, and I've run across an amazingly persistent virus of some sort. Trend Micro is blocking upwards of thousands of URL requests and redirects on a daily basis, yet I haven't been able to locate any real malware during several system scans with different antivirus software, including TrendMicro, MWB, MSE, and Hitman. I've run a CCleaner sweep just to clear out the obvious junk, but the the problem persists, and nothing is still registering on my scans.

Now,I've walked through the preliminary steps before posting here, thank you very much for providing those,they were very helpful. It looks like they have uncovered a rootkit of some kind, but I'm at a loss at this point as how to actually do anything about it.

Here are my DDS logs, and I have attached the attach.txt file as well. Thanks to everyone in advance for their help!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by dbowman at 17:08:40 on 2011-10-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.252 [GMT -4:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {ED8B6AC8-7BCA-429D-BC49-3CA7D5C6C41F}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {DEF67AB4-9CE0-48BD-9309-A843A3AEF4B8}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://cms.fiercemarkets.com/cms/webfirst/PublisherHome.cfm?message=&CFID=3169&CFTOKEN=13622878
uWindow Title = Microsoft Internet Explorer presented by Comcast
mWindow Title = Microsoft Internet Explorer presented by Comcast
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [<NO NAME>]
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://ntn-trend/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://ntn-trend/officescan/console/html/ClientInstall/setupini.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://ntn-trend/officescan/console/html/ClientInstall/setup.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://ntn-trend/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} - hxxp://simcity.ea.com/play/classic/SimCityX.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{00A9C424-C625-4D3E-A6FF-A1AEA2ADB773} : DhcpNameServer = 10.120.2.10 10.110.2.9 8.8.8.8
TCP: Interfaces\{9996BC44-4007-4CF7-81C6-CB2935DE0BCC} : DhcpNameServer = 208.39.140.42 64.56.37.246
TCP: Interfaces\{EB670D32-E165-44B9-A117-A59DEE093EFE} : DhcpNameServer = 10.0.0.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli pwdmon
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dbowman\application data\mozilla\firefox\profiles\ya93q3z3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\dbowman\application data\mozilla\firefox\profiles\ya93q3z3.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: AOL Messaging Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {0757E78D-0408-4A51-B3DB-939D54E3A82F} - c:\documents and settings\dbowman\local settings\application data\{0757E78D-0408-4A51-B3DB-939D54E3A82F}
FF - Ext: XULRunner: {E5B82655-C566-4FE6-9552-83824EBE5E02} - c:\documents and settings\admin2\local settings\application data\{E5B82655-C566-4FE6-9552-83824EBE5E02}
FF - Ext: XULRunner: {379EEEC8-AC1A-4295-8C59-2C23DFA4109C} - c:\documents and settings\itshare\local settings\application data\{379EEEC8-AC1A-4295-8C59-2C23DFA4109C}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2006-6-7 14208]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-3-27 47640]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-9-7 51792]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2009-12-4 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2009-12-4 36432]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-1-4 339984]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2009-7-15 497008]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-7-15 689416]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2006-6-7 6016]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1980-1-1 14336]
S0 khqlmxop;khqlmxop;c:\windows\system32\drivers\oopuhnpkpjv.sys [2010-9-3 69504]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe --start-service --> c:\program files\secunia\psi\sua.exe --start-service [?]
S3 ACTSBUS;ACTScom USB Composite Device Driver;c:\windows\system32\drivers\actsbus.sys --> c:\windows\system32\drivers\ACTSBUS.sys [?]
S3 ACTSCVsp;ACTScom CM Port;c:\windows\system32\drivers\actscvsp.sys --> c:\windows\system32\drivers\ACTSCVsp.sys [?]
S3 ACTSFLT;ACTScom Auto-Install CD-ROM;c:\windows\system32\drivers\actsflt.sys --> c:\windows\system32\drivers\ACTSFLT.sys [?]
S3 ACTSMdm;ACTScom Modem;c:\windows\system32\drivers\actsmdm.sys --> c:\windows\system32\drivers\ACTSMdm.sys [?]
S3 ACTSNET;ACTScom Network Adapter;c:\windows\system32\drivers\actsnet.sys --> c:\windows\system32\drivers\ACTSNET.sys [?]
S3 ACTSNVsp;ACTScom NMEA Port;c:\windows\system32\drivers\actsnvsp.sys --> c:\windows\system32\drivers\ACTSNVsp.sys [?]
S3 ACTSVsp;ACTScom DM Port;c:\windows\system32\drivers\actsvsp.sys --> c:\windows\system32\drivers\ACTSVsp.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2006-6-7 12288]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-10-12 17:48:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-10-12 17:32:39 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-12 17:32:10 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-10-11 20:14:20 -------- d-----w- c:\program files\CCleaner
2011-10-11 19:21:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-19 20:28:16 -------- d-----w- c:\documents and settings\dbowman\local settings\application data\Bthmap3xx
.
==================== Find3M ====================
.
2011-10-07 15:08:04 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 15:08:04 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-10-07 15:08:02 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-07 15:08:02 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2040AH rev.00840096 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8920F4C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x8921689c]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x89216728]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A412AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\000000a6[0x8A3A63B8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A3C2D98]
\Driver\atapi[0x89F0DB98] -> IRP_MJ_CREATE -> 0x8920F4C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { JMP 0x10; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8920F2E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:10:50.86 ===============


(If there is any information that I have left out, please let me know so that I can track that down and provide it as well)

Attached Files


Edited by boopme, 13 October 2011 - 09:17 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 PM

Posted 16 October 2011 - 02:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 AFierceThomas

AFierceThomas
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 18 October 2011 - 02:44 PM

Thank you very Gringo for your response!

I went through your instructions, and here arethe results from the Combofix log:

ComboFix 11-10-18.03 - dbowman 10/18/2011 14:58:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.902 [GMT -4:00]
Running from: c:\documents and settings\DBowman\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {DEF67AB4-9CE0-48BD-9309-A843A3AEF4B8}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Daniel Bowman.old\g2mdlhlpx.exe
c:\documents and settings\Daniel Bowman.old\WINDOWS
c:\documents and settings\DBowman\Application Data\MBSControlsPlugin5992.dll
c:\documents and settings\DBowman\Application Data\MBSDarwinPlugin5958.dll
c:\documents and settings\DBowman\Application Data\MBSMacOSXPlugin5958.dll
c:\documents and settings\DBowman\Application Data\MBSProcessPlugin5976.dll
c:\documents and settings\DBowman\Application Data\MBSRegistrationPlugin5976.dll
c:\documents and settings\DBowman\Application Data\MBSWindowPlugin5976.dll
c:\documents and settings\DBowman\Application Data\rbap550.dll
c:\documents and settings\DBowman\Application Data\RBInternetEncodings600.dll
c:\documents and settings\DBowman\Application Data\RBJagToolbarItem550.dll
c:\documents and settings\DBowman\Application Data\RBShell555.dll
c:\documents and settings\DBowman\Application Data\RBSSLSocket550.dll
c:\documents and settings\DBowman\g2mdlhlpx.exe
c:\windows\system32\d3d9caps.dat
c:\windows\system32\drivers\oopuhnpkpjv.sys
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_khqlmxop
.
.
((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))
.
.
2011-10-12 17:48 . 2011-10-12 17:48 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-10-12 17:32 . 2011-10-12 20:40 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-12 17:32 . 2011-10-12 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-10-11 20:14 . 2011-10-11 20:14 -------- d-----w- c:\program files\CCleaner
2011-10-11 19:21 . 2011-10-11 19:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-06 12:48 . 2011-10-08 14:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-19 20:28 . 2011-10-06 22:39 -------- d-----w- c:\documents and settings\DBowman\Local Settings\Application Data\Bthmap3xx
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 15:08 . 2008-03-27 21:10 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 15:08 . 2008-03-27 21:10 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-10-07 15:08 . 2008-03-27 21:10 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 15:08 . 2008-03-27 21:10 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-09-09 09:12 . 1980-01-01 07:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00 . 2010-09-07 18:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 442368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TpShocks"="TpShocks.exe" [2005-04-05 106496]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-04-04 94208]
"TP4EX"="tp4ex.exe" [2004-11-12 40960]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-03-23 217088]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-11 344064]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-08-06 442368]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-14 208896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\admin2\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-9-1 1333304]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2011-7-28 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-07 15:08 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ----a-w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3519601265-2326865600-3357616587-15616\Scripts\Logon\0\0]
"Script"=casper.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3519601265-2326865600-3357616587-15616\Scripts\Logon\1\0]
"Script"=wdc_drive_mappings.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3519601265-2326865600-3357616587-15616\Scripts\Logon\1\1]
"Script"=printers.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3519601265-2326865600-3357616587-15616\Scripts\Logon\1\2]
"Script"=nettime.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43102:TCP"= 43102:TCP:Trend Micro OfficeScan Listener
.
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [6/7/2006 7:30 AM 14208]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 3:22 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe --start-service --> c:\program files\Secunia\PSI\sua.exe --start-service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 9:44 AM 24652]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [6/7/2006 7:30 AM 6016]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 3:00 AM 14336]
S3 ACTSBUS;ACTScom USB Composite Device Driver;c:\windows\system32\DRIVERS\ACTSBUS.sys --> c:\windows\system32\DRIVERS\ACTSBUS.sys [?]
S3 ACTSCVsp;ACTScom CM Port;c:\windows\system32\DRIVERS\ACTSCVsp.sys --> c:\windows\system32\DRIVERS\ACTSCVsp.sys [?]
S3 ACTSFLT;ACTScom Auto-Install CD-ROM;c:\windows\system32\DRIVERS\ACTSFLT.sys --> c:\windows\system32\DRIVERS\ACTSFLT.sys [?]
S3 ACTSMdm;ACTScom Modem;c:\windows\system32\DRIVERS\ACTSMdm.sys --> c:\windows\system32\DRIVERS\ACTSMdm.sys [?]
S3 ACTSNET;ACTScom Network Adapter;c:\windows\system32\DRIVERS\ACTSNET.sys --> c:\windows\system32\DRIVERS\ACTSNET.sys [?]
S3 ACTSNVsp;ACTScom NMEA Port;c:\windows\system32\DRIVERS\ACTSNVsp.sys --> c:\windows\system32\DRIVERS\ACTSNVsp.sys [?]
S3 ACTSVsp;ACTScom DM Port;c:\windows\system32\DRIVERS\ACTSVsp.sys --> c:\windows\system32\DRIVERS\ACTSVsp.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [6/7/2006 7:57 AM 12288]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]
.
2011-10-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
2011-10-18 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-06-07 08:01]
.
2011-10-18 c:\windows\Tasks\User_Feed_Synchronization-{F5EA5C42-B6B5-40BD-86A0-99E1433CF61C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cms.fiercemarkets.com/cms/webfirst/PublisherHome.cfm?message=&CFID=3169&CFTOKEN=13622878
mWindow Title = Microsoft Internet Explorer presented by Comcast
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.120.2.10 10.110.2.9 8.8.8.8
FF - ProfilePath - c:\documents and settings\DBowman\Application Data\Mozilla\Firefox\Profiles\ya93q3z3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: AOL Messaging Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {0757E78D-0408-4A51-B3DB-939D54E3A82F} - c:\documents and settings\DBowman\Local Settings\Application Data\{0757E78D-0408-4A51-B3DB-939D54E3A82F}
FF - Ext: XULRunner: {E5B82655-C566-4FE6-9552-83824EBE5E02} - c:\documents and settings\admin2\Local Settings\Application Data\{E5B82655-C566-4FE6-9552-83824EBE5E02}
FF - Ext: XULRunner: {379EEEC8-AC1A-4295-8C59-2C23DFA4109C} - c:\documents and settings\itshare\Local Settings\Application Data\{379EEEC8-AC1A-4295-8C59-2C23DFA4109C}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKLM-Run-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
AddRemove-ComcastHSI - c:\program files\support.com\uninstall\chsi_uninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-18 15:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2040AH rev.00840096 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89A222E0
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(1204)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\System32\QCONSVC.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Secunia\PSI\sua.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-18 15:27:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-18 19:27
.
Pre-Run: 8,109,780,992 bytes free
Post-Run: 9,317,851,136 bytes free
.
- - End Of File - - 341F8E12B218DD316A8E5F138F6DCE15


I did run into two problems as I ran Combofix. The first was that I did disable (and eventually uninstall) TrendMicro before running Combofix. However, even though it was off, I was faced with a few insistent pop-ups from CF saying that it was running (even after I uninstalled it). Second, my internet connection was apparently flakey, and CF was unable to install Recovery Console.

CF ran well the best I can tell, and gave me the above log. Now that is done, I went to reenable the firewall, but XP is telling me that the it is unable to restart the Windows Firewall/Internet Connection Sharing (ICS) service. That seems a mite serious, but asidefrom that, things seem to be behaving themselves a bit better...

What should my next steps be, Gringo? Thank you again for your help!

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 PM

Posted 18 October 2011 - 03:14 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 AFierceThomas

AFierceThomas
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 18 October 2011 - 03:51 PM

This one went straightforward, didn't run into any problems or hangups along the way. Here's the log:

16:34:44.0450 3848 TDSS rootkit removing tool 2.6.10.0 Oct 17 2011 15:43:23
16:34:44.0700 3848 ============================================================
16:34:44.0700 3848 Current date / time: 2011/10/18 16:34:44.0700
16:34:44.0700 3848 SystemInfo:
16:34:44.0700 3848
16:34:44.0700 3848 OS Version: 5.1.2600 ServicePack: 3.0
16:34:44.0700 3848 Product type: Workstation
16:34:44.0700 3848 ComputerName: WDCL0006
16:34:44.0700 3848 UserName: dbowman
16:34:44.0700 3848 Windows directory: C:\WINDOWS
16:34:44.0700 3848 System windows directory: C:\WINDOWS
16:34:44.0700 3848 Processor architecture: Intel x86
16:34:44.0700 3848 Number of processors: 1
16:34:44.0700 3848 Page size: 0x1000
16:34:44.0700 3848 Boot type: Normal boot
16:34:44.0700 3848 ============================================================
16:34:46.0672 3848 Initialize success
16:34:49.0160 2992 ============================================================
16:34:49.0160 2992 Scan started
16:34:49.0160 2992 Mode: Manual;
16:34:49.0160 2992 ============================================================
16:34:51.0851 2992 Abiosdsk - ok
16:34:52.0196 2992 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
16:34:52.0211 2992 abp480n5 - ok
16:34:52.0477 2992 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
16:34:52.0477 2992 ac97intc - ok
16:34:52.0571 2992 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:34:52.0602 2992 ACPI - ok
16:34:52.0681 2992 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
16:34:52.0681 2992 ACPIEC - ok
16:34:52.0712 2992 ACTSBUS - ok
16:34:52.0728 2992 ACTSCVsp - ok
16:34:52.0759 2992 ACTSFLT - ok
16:34:52.0790 2992 ACTSMdm - ok
16:34:52.0837 2992 ACTSNET - ok
16:34:52.0868 2992 ACTSNVsp - ok
16:34:52.0868 2992 ACTSVsp - ok
16:34:52.0947 2992 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
16:34:52.0962 2992 adpu160m - ok
16:34:53.0025 2992 aeaudio (cde1f62fe63631b932ace2249fb11da0) C:\WINDOWS\system32\drivers\aeaudio.sys
16:34:53.0025 2992 aeaudio - ok
16:34:53.0119 2992 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:34:53.0119 2992 aec - ok
16:34:53.0291 2992 AegisP (f498fd605c08404b20a48954c722ff74) C:\WINDOWS\system32\DRIVERS\AegisP.sys
16:34:53.0291 2992 AegisP - ok
16:34:53.0385 2992 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
16:34:53.0385 2992 AFD - ok
16:34:53.0494 2992 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
16:34:53.0494 2992 agp440 - ok
16:34:53.0604 2992 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
16:34:53.0604 2992 agpCPQ - ok
16:34:53.0635 2992 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
16:34:53.0635 2992 Aha154x - ok
16:34:53.0713 2992 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
16:34:53.0713 2992 aic78u2 - ok
16:34:53.0807 2992 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
16:34:53.0823 2992 aic78xx - ok
16:34:53.0917 2992 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
16:34:53.0917 2992 AliIde - ok
16:34:53.0948 2992 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
16:34:53.0948 2992 alim1541 - ok
16:34:53.0964 2992 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
16:34:53.0995 2992 amdagp - ok
16:34:54.0026 2992 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
16:34:54.0042 2992 amsint - ok
16:34:54.0073 2992 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS
16:34:54.0073 2992 ANC - ok
16:34:54.0105 2992 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
16:34:54.0120 2992 asc - ok
16:34:54.0198 2992 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
16:34:54.0198 2992 asc3350p - ok
16:34:54.0245 2992 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
16:34:54.0245 2992 asc3550 - ok
16:34:54.0449 2992 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:34:54.0449 2992 AsyncMac - ok
16:34:54.0543 2992 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:34:54.0558 2992 atapi - ok
16:34:54.0699 2992 Atdisk - ok
16:34:54.0903 2992 ati2mtag (1d60887e03e82abb5e07cd8cb50fdabf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
16:34:55.0043 2992 ati2mtag - ok
16:34:55.0075 2992 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:34:55.0075 2992 Atmarpc - ok
16:34:55.0388 2992 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:34:55.0388 2992 audstub - ok
16:34:55.0513 2992 b57w2k (66dd574749c38153c6067ebba929befc) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
16:34:55.0513 2992 b57w2k - ok
16:34:55.0638 2992 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:34:55.0654 2992 Beep - ok
16:34:55.0654 2992 catchme - ok
16:34:55.0701 2992 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
16:34:55.0701 2992 cbidf - ok
16:34:55.0826 2992 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:34:55.0826 2992 cbidf2k - ok
16:34:55.0873 2992 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
16:34:55.0873 2992 cd20xrnt - ok
16:34:55.0920 2992 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:34:55.0920 2992 Cdaudio - ok
16:34:55.0982 2992 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:34:55.0982 2992 Cdfs - ok
16:34:56.0029 2992 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:34:56.0029 2992 Cdrom - ok
16:34:56.0061 2992 Changer - ok
16:34:56.0092 2992 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
16:34:56.0092 2992 CmBatt - ok
16:34:56.0154 2992 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
16:34:56.0154 2992 CmdIde - ok
16:34:56.0358 2992 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
16:34:56.0373 2992 Compbatt - ok
16:34:56.0420 2992 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
16:34:56.0420 2992 Cpqarray - ok
16:34:56.0467 2992 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
16:34:56.0467 2992 CVirtA - ok
16:34:56.0608 2992 CVPNDRVA (18994842386fd3039279d7865740abbd) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
16:34:56.0608 2992 CVPNDRVA - ok
16:34:56.0655 2992 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
16:34:56.0671 2992 dac2w2k - ok
16:34:56.0702 2992 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
16:34:56.0702 2992 dac960nt - ok
16:34:56.0749 2992 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:34:56.0749 2992 Disk - ok
16:34:56.0874 2992 DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
16:34:56.0874 2992 DLABOIOM - ok
16:34:56.0937 2992 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
16:34:56.0937 2992 DLACDBHM - ok
16:34:56.0968 2992 DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
16:34:56.0968 2992 DLADResN - ok
16:34:56.0999 2992 DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
16:34:56.0999 2992 DLAIFS_M - ok
16:34:57.0031 2992 DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
16:34:57.0031 2992 DLAOPIOM - ok
16:34:57.0125 2992 DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
16:34:57.0125 2992 DLAPoolM - ok
16:34:57.0172 2992 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
16:34:57.0172 2992 DLARTL_N - ok
16:34:57.0187 2992 DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
16:34:57.0187 2992 DLAUDFAM - ok
16:34:57.0218 2992 DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
16:34:57.0234 2992 DLAUDF_M - ok
16:34:57.0453 2992 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:34:57.0516 2992 dmboot - ok
16:34:57.0594 2992 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:34:57.0610 2992 dmio - ok
16:34:57.0672 2992 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:34:57.0672 2992 dmload - ok
16:34:57.0735 2992 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:34:57.0735 2992 DMusic - ok
16:34:57.0891 2992 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
16:34:57.0891 2992 DNE - ok
16:34:57.0970 2992 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
16:34:57.0970 2992 dpti2o - ok
16:34:58.0048 2992 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:34:58.0048 2992 drmkaud - ok
16:34:58.0110 2992 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
16:34:58.0110 2992 DRVMCDB - ok
16:34:58.0251 2992 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
16:34:58.0282 2992 DRVNDDM - ok
16:34:58.0439 2992 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
16:34:58.0439 2992 E100B - ok
16:34:58.0517 2992 EGATHDRV (2d0fc676d159525f6cd74c3302c7a61c) C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
16:34:58.0517 2992 EGATHDRV - ok
16:34:58.0768 2992 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:34:58.0768 2992 Fastfat - ok
16:34:58.0846 2992 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:34:58.0846 2992 Fdc - ok
16:34:58.0908 2992 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:34:58.0908 2992 Fips - ok
16:34:59.0002 2992 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:34:59.0002 2992 Flpydisk - ok
16:34:59.0049 2992 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:34:59.0049 2992 FltMgr - ok
16:34:59.0112 2992 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:34:59.0112 2992 Fs_Rec - ok
16:34:59.0221 2992 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:34:59.0221 2992 Ftdisk - ok
16:34:59.0331 2992 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
16:34:59.0331 2992 GEARAspiWDM - ok
16:34:59.0534 2992 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:34:59.0534 2992 Gpc - ok
16:34:59.0628 2992 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:34:59.0644 2992 HidUsb - ok
16:34:59.0863 2992 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
16:34:59.0863 2992 hpn - ok
16:35:00.0019 2992 HSFHWICH (e7bcc7ec37dd2dd36a39bb9ac87a897b) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
16:35:00.0035 2992 HSFHWICH - ok
16:35:00.0223 2992 HSF_DP (43b60f94718841e13b9dd8905366bdbd) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
16:35:00.0332 2992 HSF_DP - ok
16:35:00.0520 2992 HSF_DPV (822c60f2abee73a0e089230d94064f39) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
16:35:00.0630 2992 HSF_DPV - ok
16:35:00.0770 2992 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:35:00.0786 2992 HTTP - ok
16:35:00.0864 2992 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
16:35:00.0880 2992 i2omgmt - ok
16:35:00.0911 2992 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
16:35:00.0911 2992 i2omp - ok
16:35:00.0974 2992 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:35:00.0974 2992 i8042prt - ok
16:35:01.0224 2992 ialm (643162fbc619e35d3f1a90a095a5bb42) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
16:35:01.0302 2992 ialm - ok
16:35:01.0662 2992 ibmfilter (67cbdd7e1d9866f83d8921829893435a) C:\WINDOWS\system32\drivers\ibmfilter.sys
16:35:01.0678 2992 ibmfilter - ok
16:35:01.0928 2992 IBMPMDRV (bf648877413f6160e480814a24942b65) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
16:35:01.0928 2992 IBMPMDRV - ok
16:35:02.0179 2992 IBMTPCHK (73893e9a62d869a0409df9c12a0ebefe) C:\WINDOWS\system32\drivers\IBMBLDID.SYS
16:35:02.0179 2992 IBMTPCHK - ok
16:35:02.0335 2992 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:35:02.0335 2992 Imapi - ok
16:35:02.0429 2992 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
16:35:02.0429 2992 ini910u - ok
16:35:02.0632 2992 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:35:02.0632 2992 IntelIde - ok
16:35:02.0679 2992 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:35:02.0679 2992 intelppm - ok
16:35:02.0742 2992 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:35:02.0758 2992 Ip6Fw - ok
16:35:02.0820 2992 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:35:02.0820 2992 IpFilterDriver - ok
16:35:02.0883 2992 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:35:02.0898 2992 IpInIp - ok
16:35:02.0930 2992 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:35:02.0930 2992 IpNat - ok
16:35:03.0008 2992 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:35:03.0008 2992 IPSec - ok
16:35:03.0133 2992 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
16:35:03.0149 2992 irda - ok
16:35:03.0243 2992 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:35:03.0243 2992 IRENUM - ok
16:35:03.0446 2992 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:35:03.0681 2992 isapnp - ok
16:35:04.0385 2992 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:35:04.0385 2992 Kbdclass - ok
16:35:04.0479 2992 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:35:04.0479 2992 kmixer - ok
16:35:04.0573 2992 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:35:04.0573 2992 KSecDD - ok
16:35:04.0620 2992 lbrtfdc - ok
16:35:04.0776 2992 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
16:35:04.0776 2992 LMIInfo - ok
16:35:04.0870 2992 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
16:35:04.0886 2992 lmimirr - ok
16:35:05.0011 2992 LMIRfsClientNP - ok
16:35:05.0042 2992 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
16:35:05.0042 2992 LMIRfsDriver - ok
16:35:05.0105 2992 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
16:35:05.0105 2992 mdmxsdk - ok
16:35:05.0183 2992 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:35:05.0183 2992 mnmdd - ok
16:35:05.0246 2992 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:35:05.0246 2992 Modem - ok
16:35:05.0308 2992 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:35:05.0308 2992 Mouclass - ok
16:35:05.0433 2992 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:35:05.0433 2992 mouhid - ok
16:35:05.0496 2992 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:35:05.0496 2992 MountMgr - ok
16:35:05.0621 2992 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
16:35:05.0621 2992 mraid35x - ok
16:35:05.0715 2992 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:35:05.0731 2992 MRxDAV - ok
16:35:05.0809 2992 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:35:05.0840 2992 MRxSmb - ok
16:35:05.0950 2992 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:35:05.0950 2992 Msfs - ok
16:35:06.0012 2992 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:35:06.0012 2992 MSKSSRV - ok
16:35:06.0059 2992 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:35:06.0059 2992 MSPCLOCK - ok
16:35:06.0075 2992 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:35:06.0075 2992 MSPQM - ok
16:35:06.0122 2992 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:35:06.0122 2992 mssmbios - ok
16:35:06.0231 2992 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
16:35:06.0231 2992 Mup - ok
16:35:06.0325 2992 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:35:06.0325 2992 NDIS - ok
16:35:06.0450 2992 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:35:06.0450 2992 NdisTapi - ok
16:35:06.0497 2992 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:35:06.0513 2992 Ndisuio - ok
16:35:06.0591 2992 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:35:06.0607 2992 NdisWan - ok
16:35:06.0670 2992 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
16:35:06.0670 2992 NDProxy - ok
16:35:06.0732 2992 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:35:06.0732 2992 NetBIOS - ok
16:35:06.0857 2992 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:35:06.0873 2992 NetBT - ok
16:35:06.0936 2992 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
16:35:06.0936 2992 nm - ok
16:35:07.0014 2992 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:35:07.0014 2992 Npfs - ok
16:35:07.0155 2992 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
16:35:07.0155 2992 NSCIRDA - ok
16:35:07.0280 2992 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:35:07.0295 2992 Ntfs - ok
16:35:07.0483 2992 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:35:07.0483 2992 Null - ok
16:35:07.0749 2992 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:35:08.0031 2992 nv - ok
16:35:08.0187 2992 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:35:08.0187 2992 NwlnkFlt - ok
16:35:08.0234 2992 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:35:08.0234 2992 NwlnkFwd - ok
16:35:08.0297 2992 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:35:08.0297 2992 Parport - ok
16:35:08.0328 2992 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:35:08.0328 2992 PartMgr - ok
16:35:08.0375 2992 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:35:08.0375 2992 ParVdm - ok
16:35:08.0406 2992 PcdrNdisuio (505cba425df3bb230f244e1c23221058) C:\WINDOWS\system32\DRIVERS\pcdrndisuio.sys
16:35:08.0406 2992 PcdrNdisuio - ok
16:35:08.0438 2992 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:35:08.0438 2992 PCI - ok
16:35:08.0453 2992 PCIDump - ok
16:35:08.0485 2992 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:35:08.0485 2992 PCIIde - ok
16:35:08.0547 2992 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
16:35:08.0547 2992 Pcmcia - ok
16:35:08.0563 2992 PDCOMP - ok
16:35:08.0594 2992 PDFRAME - ok
16:35:08.0610 2992 PDRELI - ok
16:35:08.0625 2992 PDRFRAME - ok
16:35:08.0704 2992 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
16:35:08.0704 2992 perc2 - ok
16:35:08.0735 2992 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
16:35:08.0735 2992 perc2hib - ok
16:35:08.0860 2992 PMEM (fa292805788528c083f416e151b60ab6) C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS
16:35:08.0860 2992 PMEM - ok
16:35:08.0970 2992 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:35:08.0985 2992 PptpMiniport - ok
16:35:09.0064 2992 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
16:35:09.0064 2992 Processor - ok
16:35:09.0173 2992 psadd (30b10051866ede0ca089082fb4dabdea) C:\WINDOWS\system32\Drivers\psadd.sys
16:35:09.0189 2992 psadd - ok
16:35:09.0283 2992 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:35:09.0283 2992 PSched - ok
16:35:09.0314 2992 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
16:35:09.0330 2992 PSI - ok
16:35:09.0345 2992 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:35:09.0345 2992 Ptilink - ok
16:35:09.0580 2992 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:35:09.0580 2992 PxHelp20 - ok
16:35:09.0643 2992 QCNDISIF (8127cd3d08a48793d2c155fb4d9af8ef) C:\WINDOWS\system32\drivers\qcndisif.SYS
16:35:09.0643 2992 QCNDISIF - ok
16:35:09.0721 2992 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
16:35:09.0721 2992 ql1080 - ok
16:35:09.0783 2992 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
16:35:09.0783 2992 Ql10wnt - ok
16:35:09.0830 2992 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
16:35:09.0830 2992 ql12160 - ok
16:35:09.0893 2992 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
16:35:09.0893 2992 ql1240 - ok
16:35:09.0924 2992 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
16:35:09.0924 2992 ql1280 - ok
16:35:09.0956 2992 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:35:09.0956 2992 RasAcd - ok
16:35:09.0987 2992 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
16:35:09.0987 2992 Rasirda - ok
16:35:10.0034 2992 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:35:10.0049 2992 Rasl2tp - ok
16:35:10.0128 2992 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:35:10.0143 2992 RasPppoe - ok
16:35:10.0331 2992 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:35:10.0362 2992 Raspti - ok
16:35:10.0644 2992 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:35:10.0738 2992 Rdbss - ok
16:35:11.0066 2992 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:35:11.0082 2992 RDPCDD - ok
16:35:11.0348 2992 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:35:11.0473 2992 rdpdr - ok
16:35:11.0927 2992 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
16:35:11.0974 2992 RDPWD - ok
16:35:12.0397 2992 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:35:12.0428 2992 redbook - ok
16:35:12.0960 2992 s24trans (85a26a3bb748dfd3170cdbf45b0dd7fd) C:\WINDOWS\system32\DRIVERS\s24trans.sys
16:35:13.0007 2992 s24trans - ok
16:35:13.0351 2992 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
16:35:13.0382 2992 sdbus - ok
16:35:13.0727 2992 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:35:13.0758 2992 Secdrv - ok
16:35:14.0212 2992 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:35:14.0227 2992 serenum - ok
16:35:14.0587 2992 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:35:14.0634 2992 Serial - ok
16:35:15.0213 2992 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
16:35:15.0244 2992 Sfloppy - ok
16:35:15.0667 2992 ShockMgr (482ddb9f0f6d88f0503910e1b9728042) C:\WINDOWS\system32\drivers\ShockMgr.sys
16:35:15.0698 2992 ShockMgr - ok
16:35:16.0308 2992 Shockprf (e467b7d35e5db9bd12e138cd5c7f4368) C:\WINDOWS\system32\drivers\Shockprf.sys
16:35:16.0387 2992 Shockprf - ok
16:35:16.0700 2992 Simbad - ok
16:35:17.0279 2992 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
16:35:17.0294 2992 sisagp - ok
16:35:17.0717 2992 Smapint (26341d0dd225d19fd50e0ee3c3c77502) C:\WINDOWS\system32\drivers\Smapint.sys
16:35:17.0717 2992 Smapint - ok
16:35:18.0405 2992 smwdm (b09f23bf6e451b7a492b4a3d5eacfb24) C:\WINDOWS\system32\drivers\smwdm.sys
16:35:18.0483 2992 smwdm - ok
16:35:19.0188 2992 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
16:35:19.0266 2992 SONYPVU1 - ok
16:35:20.0033 2992 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
16:35:20.0079 2992 Sparrow - ok
16:35:20.0455 2992 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:35:20.0486 2992 splitter - ok
16:35:20.0971 2992 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:35:20.0987 2992 sr - ok
16:35:21.0394 2992 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
16:35:21.0472 2992 Srv - ok
16:35:22.0223 2992 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:35:22.0239 2992 swenum - ok
16:35:22.0395 2992 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:35:22.0395 2992 swmidi - ok
16:35:22.0661 2992 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
16:35:22.0786 2992 symc810 - ok
16:35:22.0912 2992 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
16:35:22.0912 2992 symc8xx - ok
16:35:22.0974 2992 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
16:35:22.0974 2992 sym_hi - ok
16:35:23.0068 2992 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
16:35:23.0084 2992 sym_u3 - ok
16:35:23.0178 2992 SynTP (d7dc30b8b41e7a913c3fccc0631e72ec) C:\WINDOWS\system32\DRIVERS\SynTP.sys
16:35:23.0209 2992 SynTP - ok
16:35:23.0272 2992 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:35:23.0272 2992 sysaudio - ok
16:35:23.0459 2992 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:35:23.0459 2992 Tcpip - ok
16:35:23.0616 2992 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:35:23.0647 2992 TDPIPE - ok
16:35:23.0882 2992 TDSMAPI (e9512ac82fff83808549267078b38fe5) C:\WINDOWS\system32\drivers\TDSMAPI.SYS
16:35:23.0882 2992 TDSMAPI - ok
16:35:24.0085 2992 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:35:24.0117 2992 TDTCP - ok
16:35:24.0289 2992 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:35:24.0304 2992 TermDD - ok
16:35:24.0351 2992 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
16:35:24.0383 2992 TosIde - ok
16:35:24.0445 2992 TPDiskPM (ac7543f9adb2127f70de192089da9a1f) C:\WINDOWS\system32\drivers\TPDiskPM.sys
16:35:24.0445 2992 TPDiskPM - ok
16:35:24.0586 2992 TPHKDRV (63421f480e7cd375329ace8588fed1ac) C:\WINDOWS\system32\drivers\TPHKDRV.sys
16:35:24.0617 2992 TPHKDRV - ok
16:35:24.0695 2992 TPInput (f53589467c0a112bec1835c72457a8a1) C:\WINDOWS\system32\DRIVERS\TPInput.sys
16:35:24.0695 2992 TPInput - ok
16:35:24.0742 2992 TPM11 (8dcaf6b264f8a701de916ace452c895d) C:\WINDOWS\system32\DRIVERS\nsctpm11.sys
16:35:24.0742 2992 TPM11 - ok
16:35:24.0789 2992 TPPWRIF (44672de6cea9569c21c4b7a8d2560750) C:\WINDOWS\system32\drivers\Tppwrif.sys
16:35:24.0789 2992 TPPWRIF - ok
16:35:24.0883 2992 TSMAPIP (f2aba3066d7921d7fcdbd66dea88be11) C:\WINDOWS\system32\drivers\TSMAPIP.SYS
16:35:24.0883 2992 TSMAPIP - ok
16:35:24.0946 2992 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:35:24.0946 2992 Udfs - ok
16:35:24.0993 2992 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
16:35:24.0993 2992 ultra - ok
16:35:25.0055 2992 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:35:25.0087 2992 Update - ok
16:35:25.0196 2992 usbbus (5353218b3265e3b8190335059f697a11) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
16:35:25.0196 2992 usbbus - ok
16:35:25.0290 2992 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:35:25.0306 2992 usbccgp - ok
16:35:25.0368 2992 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
16:35:25.0368 2992 UsbDiag - ok
16:35:25.0478 2992 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:35:25.0478 2992 usbehci - ok
16:35:25.0509 2992 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:35:25.0509 2992 usbhub - ok
16:35:25.0666 2992 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
16:35:25.0681 2992 USBModem - ok
16:35:25.0806 2992 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:35:25.0806 2992 usbprint - ok
16:35:25.0916 2992 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:35:25.0916 2992 USBSTOR - ok
16:35:25.0979 2992 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:35:25.0979 2992 usbuhci - ok
16:35:26.0072 2992 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:35:26.0072 2992 VgaSave - ok
16:35:26.0135 2992 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
16:35:26.0135 2992 viaagp - ok
16:35:26.0198 2992 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
16:35:26.0198 2992 ViaIde - ok
16:35:26.0260 2992 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:35:26.0276 2992 VolSnap - ok
16:35:26.0338 2992 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys
16:35:26.0432 2992 vsdatant - ok
16:35:26.0808 2992 w29n51 (39ac581f5b57e3074e3e5cdab9e7dff1) C:\WINDOWS\system32\DRIVERS\w29n51.sys
16:35:26.0996 2992 w29n51 - ok
16:35:27.0105 2992 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:35:27.0121 2992 Wanarp - ok
16:35:27.0183 2992 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
16:35:27.0199 2992 Wdf01000 - ok
16:35:27.0215 2992 WDICA - ok
16:35:27.0262 2992 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:35:27.0262 2992 wdmaud - ok
16:35:27.0418 2992 winachsf (5ea185425bfcbc2d4b96d673d8c4deaf) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
16:35:27.0496 2992 winachsf - ok
16:35:27.0794 2992 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
16:35:27.0809 2992 WpdUsb - ok
16:35:27.0888 2992 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:35:27.0888 2992 WudfPf - ok
16:35:27.0950 2992 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:35:27.0950 2992 WudfRd - ok
16:35:27.0997 2992 MBR (0x1B8) (cfa8929e3105c2a7adf2b8592f062baf) \Device\Harddisk0\DR0
16:35:27.0997 2992 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
16:35:27.0997 2992 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
16:35:27.0997 2992 Boot (0x1200) (f3787f734f13088b94857c857f00e406) \Device\Harddisk0\DR0\Partition0
16:35:28.0013 2992 \Device\Harddisk0\DR0\Partition0 - ok
16:35:28.0013 2992 ============================================================
16:35:28.0013 2992 Scan finished
16:35:28.0013 2992 ============================================================
16:35:28.0028 3696 Detected object count: 1
16:35:28.0028 3696 Actual detected object count: 1
16:35:47.0963 3696 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
16:35:47.0963 3696 \Device\Harddisk0\DR0 - ok
16:35:47.0963 3696 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
16:35:53.0111 1432 Deinitialize success



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 PM

Posted 18 October 2011 - 07:17 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\documents and settings\DBowman\Local Settings\Application Data\Bthmap3xx

Firefox::
FF - ProfilePath - c:\documents and settings\DBowman\Application Data\Mozilla\Firefox\Profiles\ya93q3z3.default\
FF - Ext: XULRunner: {0757E78D-0408-4A51-B3DB-939D54E3A82F} - c:\documents and settings\DBowman\Local Settings\Application Data\{0757E78D-0408-4A51-B3DB-939D54E3A82F}
FF - Ext: XULRunner: {E5B82655-C566-4FE6-9552-83824EBE5E02} - c:\documents and settings\admin2\Local Settings\Application Data\{E5B82655-C566-4FE6-9552-83824EBE5E02}
FF - Ext: XULRunner: {379EEEC8-AC1A-4295-8C59-2C23DFA4109C} - c:\documents and settings\itshare\Local Settings\Application Data\{379EEEC8-AC1A-4295-8C59-2C23DFA4109C}

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 AFierceThomas

AFierceThomas
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 20 October 2011 - 01:16 PM

Unfortunately, I seem to have hit a snag on this.

I've walked through the steps, but this time when ComboFix runs the system freezes. It seems to freeze just when the scan itself begins, I don't get any notes of progress on the scan. I've let it run for a few hours, just to see if that would solve anything, but after a time it becomes apparent that nothing is happening (sometimes even the screen freezes).

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 PM

Posted 20 October 2011 - 02:21 PM

Hello

Ok lets try this, I want you to run the combofix script in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 AFierceThomas

AFierceThomas
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 20 October 2011 - 02:39 PM

This computer is on a domain, with the account that originally infected the machine being one of the domain accounts. Would it be alright to run this in Safe Mode with Networking instead, or should I switch to a local admin account and stick with Safe Mode, albeit under a different user account?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 PM

Posted 20 October 2011 - 04:12 PM

safe mode with networking is fine


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 PM

Posted 23 October 2011 - 02:04 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 AFierceThomas

AFierceThomas
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 24 October 2011 - 09:05 AM

Hey! Sorry about not getting back, Friday was a rush of activity.

The bad news is, I ran into the same freezing issue when running on Safe Mode with Networking. I want to say that a problem might lie with Combofix claiming that TrendMicro is running active scans. I don't see how this could be, since I uninstalled the scan client, and it doesn't appear ot be on the system any more. What do you think?

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 PM

Posted 24 October 2011 - 01:33 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 AFierceThomas

AFierceThomas
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 24 October 2011 - 01:49 PM

Haha, it ran without freezing! Here's the OTL.txt results, Gringo:

OTL logfile created on: 10/24/2011 2:39:33 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\DBowman\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.49 Gb Total Physical Memory | 0.92 Gb Available Physical Memory | 61.40% Memory free
2.09 Gb Paging File | 1.68 Gb Available in Paging File | 80.07% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.22 Gb Total Space | 8.19 Gb Free Space | 24.65% Space Free | Partition Type: NTFS

Computer Name: WDCL0006 | User Name: dbowman | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\DBowman\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics Incorporated)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
PRC - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()
PRC - C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe ()
PRC - C:\IBMTOOLS\utils\ibmprc.exe (IBM Corp.)
PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe (IBM Corporation)
PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
PRC - C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe ()
PRC - C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
PRC - C:\WINDOWS\system32\TpKmpSvc.exe ()
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\system32\vpnapi.dll ()
MOD - C:\WINDOWS\system32\Primomonnt.dll ()
MOD - C:\Program Files\FileZilla FTP Client\fzshellext.dll ()
MOD - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()
MOD - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe ()
MOD - C:\Program Files\ThinkPad\Utilities\PWRMGRIF.DLL ()
MOD - C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL ()
MOD - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
MOD - C:\Program Files\ThinkPad\Utilities\US\EZMAPRES.DLL ()
MOD - C:\Program Files\ThinkPad\ConnectUtilities\Res\US\IconRes.dll ()
MOD - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe ()
MOD - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\tpfnf7.dll ()
MOD - C:\WINDOWS\system32\tphklock.dll ()
MOD - C:\Program Files\IBM\Messages By IBM\AcpPollingEngine.dll ()
MOD - C:\WINDOWS\system32\AIBMRUNL.dll ()
MOD - C:\WINDOWS\system32\TpKmpSvc.exe ()
MOD - C:\Program Files\ThinkPad\PkgMgr\HOTKEY_2\tphk_2k.dll ()


========== Win32 Services (SafeList) ==========

SRV - (PsaSrv) -- File not found
SRV - (HidServ) -- File not found
SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
SRV - (LMIGuardianSvc) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
SRV - (PEVSystemStart) -- C:\ComboFix\pev.3XE ()
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (AdobeActiveFileMonitor4.0) -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe ()
SRV - (IBM Rapid Restore Ultra Service) -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe ()
SRV - (QCONSVC) -- C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)
SRV - (TpKmpSVC) -- C:\WINDOWS\system32\TpKmpSvc.exe ()
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Driver Services (SafeList) ==========

DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (nm) -- C:\WINDOWS\system32\drivers\nmnt.sys (Microsoft Corporation)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (psadd) -- C:\WINDOWS\system32\drivers\psadd.sys (IBM Corporation)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (USBModem) -- C:\WINDOWS\system32\drivers\lgusbmodem.sys (LG Electronics Inc.)
DRV - (UsbDiag) -- C:\WINDOWS\system32\drivers\lgusbdiag.sys (LG Electronics Inc.)
DRV - (usbbus) -- C:\WINDOWS\system32\drivers\lgusbbus.sys (LG Electronics Inc.)
DRV - (TSMAPIP) -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS ()
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ibmfilter) -- C:\WINDOWS\system32\drivers\ibmfilter.sys (IBM)
DRV - (TPM11) -- C:\WINDOWS\system32\drivers\nsctpm11.sys (National Semiconductor Corp.)
DRV - (TPPWRIF) -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS ()
DRV - (QCNDISIF) -- C:\WINDOWS\system32\drivers\qcndisif.sys (IBM Corporation.)
DRV - (ANC) -- C:\WINDOWS\system32\drivers\ANC.sys (IBM Corp.)
DRV - (IBMTPCHK) -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS ()
DRV - (w29n51) Intel® -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (PcdrNdisuio) -- C:\WINDOWS\system32\drivers\PcdrNdisuio.sys (Windows ® 2000 DDK provider)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (Smapint) -- C:\WINDOWS\system32\drivers\SMAPINT.SYS (Microsoft Corporation)
DRV - (TDSMAPI) -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS ()
DRV - (TPDiskPM) -- C:\WINDOWS\System32\drivers\TPDiskPM.sys (IBM Corporation)
DRV - (TPInput) -- C:\WINDOWS\system32\drivers\TPInput.sys (IBM Corporation)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cms.fiercemarkets.com/cms/webfirst/PublisherHome.cfm?message=&CFID=3169&CFTOKEN=13622878
IE - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - No CLSID value found
IE - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {c2f863cd-0429-48c7-bb54-db756a951760}:5.96.10.7194
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {0757E78D-0408-4A51-B3DB-939D54E3A82F}:1.9.1
FF - prefs.js..extensions.enabledItems: {E5B82655-C566-4FE6-9552-83824EBE5E02}:1.9.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {379EEEC8-AC1A-4295-8C59-2C23DFA4109C}:1.9.1
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{0757E78D-0408-4A51-B3DB-939D54E3A82F}: C:\Documents and Settings\DBowman\Local Settings\Application Data\{0757E78D-0408-4A51-B3DB-939D54E3A82F} [2010/09/03 09:26:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{E5B82655-C566-4FE6-9552-83824EBE5E02}: C:\Documents and Settings\admin2\Local Settings\Application Data\{E5B82655-C566-4FE6-9552-83824EBE5E02} [2010/09/07 14:40:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{379EEEC8-AC1A-4295-8C59-2C23DFA4109C}: C:\Documents and Settings\itshare\Local Settings\Application Data\{379EEEC8-AC1A-4295-8C59-2C23DFA4109C} [2010/09/22 17:12:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/14 10:29:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/14 10:29:49 | 000,000,000 | ---D | M]

[2010/09/30 15:48:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\DBowman\Application Data\Mozilla\Extensions
[2011/10/19 09:48:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\DBowman\Application Data\Mozilla\Firefox\Profiles\ya93q3z3.default\extensions
[2011/10/12 10:00:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\DBowman\Application Data\Mozilla\Firefox\Profiles\ya93q3z3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/10/12 10:01:20 | 000,000,000 | ---D | M] ("AOL Messaging Toolbar") -- C:\Documents and Settings\DBowman\Application Data\Mozilla\Firefox\Profiles\ya93q3z3.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2009/02/03 09:46:21 | 000,001,739 | ---- | M] () -- C:\Documents and Settings\DBowman\Application Data\Mozilla\Firefox\Profiles\ya93q3z3.default\searchplugins\aim-search.xml
[2008/07/24 09:23:17 | 000,001,877 | ---- | M] () -- C:\Documents and Settings\DBowman\Application Data\Mozilla\Firefox\Profiles\ya93q3z3.default\searchplugins\aolsearch.xml
[2011/10/19 09:48:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/27 09:48:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/27 09:11:20 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/09/07 14:40:19 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ADMIN2\LOCAL SETTINGS\APPLICATION DATA\{E5B82655-C566-4FE6-9552-83824EBE5E02}
[2010/09/03 09:26:49 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\DBOWMAN\LOCAL SETTINGS\APPLICATION DATA\{0757E78D-0408-4A51-B3DB-939D54E3A82F}
[2010/09/22 17:12:56 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ITSHARE\LOCAL SETTINGS\APPLICATION DATA\{379EEEC8-AC1A-4295-8C59-2C23DFA4109C}
[2009/05/19 08:40:10 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2007/06/01 17:51:16 | 000,069,632 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npitunes.dll
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2008/02/19 14:45:33 | 000,001,948 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml

O1 HOSTS File: ([2011/10/18 15:18:05 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O3 - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\..\Toolbar\WebBrowser: (no name) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe ()
O4 - HKLM..\Run: [IBMPRC] C:\IBMTOOLS\utils\ibmprc.exe (IBM Corp.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (IBM Corp.)
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (IBM Corporation)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
O4 - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
O4 - Startup: C:\Documents and Settings\admin2\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} https://ntn-trend/officescan/console/html/ClientInstall/WinNTChk.cab (ObjWinNTCheck Class)
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} https://ntn-trend/officescan/console/html/ClientInstall/setup.cab (OfficeScan Corp Edition Web-Deployment SetupCtrl Class)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} http://simcity.ea.com/play/classic/SimCityX.cab (SimCityX Control)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = questex.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{00A9C424-C625-4D3E-A6FF-A1AEA2ADB773}: DhcpNameServer = 10.120.2.10 10.110.2.10 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9996BC44-4007-4CF7-81C6-CB2935DE0BCC}: DhcpNameServer = 208.39.140.42 64.56.37.246
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EB670D32-E165-44B9-A117-A59DEE093EFE}: DhcpNameServer = 10.0.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\QConGina: DllName - (QConGina.dll) - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O20 - Winlogon\Notify\tphotkey: DllName - (tphklock.dll) - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\DBowman\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\DBowman\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/27 02:56:32 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/24 14:38:01 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\DBowman\Desktop\OTL.exe
[2011/10/21 09:15:55 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/10/21 09:15:20 | 004,266,947 | R--- | C] (Swearware) -- C:\Documents and Settings\DBowman\Desktop\ComboFix.exe
[2011/10/19 12:58:00 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/10/19 09:40:42 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/10/18 16:34:04 | 001,559,856 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\DBowman\Desktop\tdsskiller.exe
[2011/10/18 14:51:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/18 14:51:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/18 14:51:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/18 14:51:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/18 14:51:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/10/18 14:38:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/10/12 17:08:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\DBowman\Start Menu\Programs\Administrative Tools
[2011/10/12 17:08:01 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\DBowman\Desktop\dds.scr
[2011/10/12 13:48:56 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011/10/12 13:32:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/10/12 09:48:49 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\DBowman\Recent
[2011/10/11 16:14:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/10/11 16:14:20 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/10/11 16:12:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DBowman\My Documents\Downloads
[2011/10/11 15:21:13 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/10/07 16:28:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DBowman\Desktop\youtube
[2011/10/06 08:48:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/10/05 20:43:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/10/05 00:04:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/10/04 23:57:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/10/04 09:33:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DBowman\Desktop\AHIMA
[2011/09/26 11:41:20 | 000,220,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleacc.dll
[2011/09/26 11:41:14 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleaccrc.dll
[6 C:\Documents and Settings\DBowman\Desktop\*.tmp files -> C:\Documents and Settings\DBowman\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/24 14:40:39 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{F5EA5C42-B6B5-40BD-86A0-99E1433CF61C}.job
[2011/10/24 14:38:02 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DBowman\Desktop\OTL.exe
[2011/10/24 14:36:18 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2011/10/24 14:36:13 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2011/10/24 14:36:06 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2011/10/24 14:35:54 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/24 14:35:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/24 14:35:20 | 1600,638,976 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/20 11:15:24 | 004,266,947 | R--- | M] (Swearware) -- C:\Documents and Settings\DBowman\Desktop\ComboFix.exe
[2011/10/20 10:05:00 | 000,203,896 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/20 10:01:12 | 000,445,056 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/20 10:01:12 | 000,072,766 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/20 09:55:31 | 000,001,829 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/10/20 09:52:15 | 000,000,167 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2011/10/19 12:58:07 | 000,000,338 | RHS- | M] () -- C:\BOOT.INI
[2011/10/18 16:45:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/18 16:34:04 | 001,559,856 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\DBowman\Desktop\tdsskiller.exe
[2011/10/18 16:31:37 | 000,000,410 | ---- | M] () -- C:\WINDOWS\BRWMARK.INI
[2011/10/18 15:18:05 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/10/18 13:57:24 | 000,020,534 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2011/10/13 16:07:25 | 015,979,025 | ---- | M] () -- C:\Documents and Settings\DBowman\Desktop\AHIMA.zip
[2011/10/12 17:14:40 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\DBowman\Desktop\gmer.exe
[2011/10/12 17:08:02 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\DBowman\Desktop\dds.scr
[2011/10/12 17:06:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\DBowman\defogger_reenable
[2011/10/12 16:40:51 | 000,023,624 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/10/12 14:25:06 | 000,000,021 | ---- | M] () -- C:\tmuninst.ini
[2011/10/11 15:21:13 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/10/11 13:02:47 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/10/10 09:49:30 | 000,077,814 | ---- | M] () -- C:\Documents and Settings\DBowman\Desktop\untitled.bmp
[2011/10/07 11:08:04 | 000,083,360 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2011/10/07 11:08:02 | 000,087,424 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[2011/10/07 11:08:02 | 000,030,592 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2011/10/06 15:06:41 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\DBowman\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/10/05 22:02:15 | 000,129,597 | ---- | M] () -- C:\Documents and Settings\DBowman\Desktop\fierceemrcopy.zip
[2011/10/03 04:35:11 | 005,971,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011/10/01 16:21:23 | 000,000,458 | ---- | M] () -- C:\Documents and Settings\DBowman\Desktop\Shortcut to insurers earnings report.lnk
[2011/09/30 10:02:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/26 11:41:20 | 000,611,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\uiautomationcore.dll
[2011/09/26 11:41:20 | 000,220,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleacc.dll
[2011/09/26 11:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\oleaccrc.dll
[2011/09/26 11:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleaccrc.dll
[6 C:\Documents and Settings\DBowman\Desktop\*.tmp files -> C:\Documents and Settings\DBowman\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/24 14:35:20 | 1600,638,976 | -HS- | C] () -- C:\hiberfil.sys
[2011/10/19 12:58:07 | 000,000,228 | ---- | C] () -- C:\Boot.bak
[2011/10/19 12:58:03 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/10/19 09:44:45 | 000,001,829 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/10/18 15:21:51 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/18 14:51:41 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/10/18 14:51:41 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/10/18 14:51:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/10/18 14:51:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/10/18 14:51:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/10/13 16:07:17 | 015,979,025 | ---- | C] () -- C:\Documents and Settings\DBowman\Desktop\AHIMA.zip
[2011/10/12 17:14:39 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\DBowman\Desktop\gmer.exe
[2011/10/12 17:06:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\DBowman\defogger_reenable
[2011/10/12 13:32:39 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/10/11 14:47:02 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/10/10 09:49:30 | 000,077,814 | ---- | C] () -- C:\Documents and Settings\DBowman\Desktop\untitled.bmp
[2011/10/06 15:06:41 | 000,000,817 | ---- | C] () -- C:\Documents and Settings\DBowman\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/10/05 22:02:15 | 000,129,597 | ---- | C] () -- C:\Documents and Settings\DBowman\Desktop\fierceemrcopy.zip
[2011/10/01 16:21:21 | 000,000,458 | ---- | C] () -- C:\Documents and Settings\DBowman\Desktop\Shortcut to insurers earnings report.lnk
[2010/11/23 19:59:33 | 000,203,896 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/03 09:26:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Yzovobelisuzog.bin.vir
[2010/09/03 09:26:53 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rxarirewap.dat.vir
[2010/07/20 15:21:59 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2010/04/01 12:08:41 | 000,013,836 | -HS- | C] () -- C:\Documents and Settings\DBowman\Local Settings\Application Data\0S70
[2010/04/01 12:08:41 | 000,013,836 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0S70
[2010/03/23 13:26:48 | 000,201,512 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2010/03/23 13:17:40 | 000,197,416 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2010/02/23 09:24:10 | 000,008,620 | ---- | C] () -- C:\WINDOWS\cfgrs_ex.ini
[2010/02/23 09:24:09 | 000,009,438 | ---- | C] () -- C:\WINDOWS\cfgrs.ini
[2010/02/11 22:22:42 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\DBowman\Application Data\PUTTY.RND
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/07/30 21:58:42 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2008/12/04 13:10:18 | 000,007,861 | ---- | C] () -- C:\WINDOWS\cfgps_ex.ini
[2008/10/28 12:16:12 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\DBowman\Local Settings\Application Data\PUTTY.RND
[2008/06/22 11:34:04 | 000,000,698 | ---- | C] () -- C:\Documents and Settings\DBowman\Application Data\com.jamfsoftware.recon.plist
[2008/06/20 21:23:25 | 000,000,410 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008/06/20 21:23:15 | 000,000,167 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2008/06/20 21:22:15 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\DBowman\Local Settings\Application Data\fusioncache.dat
[2008/06/20 21:11:33 | 000,020,534 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2006/09/10 13:40:32 | 000,000,024 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/07/05 18:52:31 | 000,001,368 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/06/27 05:29:43 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/06/27 03:18:43 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/06/27 03:18:22 | 000,003,942 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/06/27 03:16:31 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/07 08:02:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/07 08:01:50 | 000,016,384 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2006/06/07 08:01:49 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2006/06/07 07:57:55 | 000,002,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.SYS
[2006/06/07 07:54:57 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\psasrv.exe
[2006/06/07 07:47:24 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/06/07 07:47:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/06/07 07:47:23 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/06/07 07:47:23 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/06/07 07:47:23 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/06/07 07:47:23 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/06/07 07:45:27 | 000,000,222 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/06/07 07:36:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2006/06/07 07:31:19 | 000,009,340 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2006/06/07 07:30:54 | 000,002,086 | ---- | C] () -- C:\WINDOWS\System32\SMBIOS.bin
[2006/06/07 07:30:14 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\TpKmpSvc.exe
[2006/06/07 07:19:02 | 000,002,481 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/02/24 22:14:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/05/04 17:32:42 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2005/05/04 17:32:42 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2005/04/27 12:53:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\pwdmon.dll
[2005/04/27 12:53:10 | 000,019,853 | ---- | C] () -- C:\WINDOWS\ibmprc.ini
[2004/12/20 11:08:28 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 11:03:26 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/11/09 04:02:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\desktopset.exe
[2004/08/09 14:03:43 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/09 14:01:40 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/09 13:51:56 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/09 13:46:20 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/01/09 09:10:32 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\AIBMRUNL.dll
[2003/04/10 19:04:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 10:26:08 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2001/08/23 10:24:30 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[1980/01/01 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[1980/01/01 03:00:00 | 000,445,056 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[1980/01/01 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[1980/01/01 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[1980/01/01 03:00:00 | 000,087,540 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[1980/01/01 03:00:00 | 000,072,766 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[1980/01/01 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[1980/01/01 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[1980/01/01 03:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[1980/01/01 03:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[1980/01/01 03:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[1980/01/01 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 PM

Posted 24 October 2011 - 05:22 PM

Hello

I want you to run this custem OTL script for me and then let me know how things are after you finish.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :otl
    IE - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - No CLSID value found
    O3 - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-3519601265-2326865600-3357616587-15616\..\Toolbar\WebBrowser: (no name) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - No CLSID value found.
    O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html File not found
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
    O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    FF - prefs.js..extensions.enabledItems: {0757E78D-0408-4A51-B3DB-939D54E3A82F}:1.9.1
    FF - prefs.js..extensions.enabledItems: {E5B82655-C566-4FE6-9552-83824EBE5E02}:1.9.1
    FF - prefs.js..extensions.enabledItems: {379EEEC8-AC1A-4295-8C59-2C23DFA4109C}:1.9.1 
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{0757E78D-0408-4A51-B3DB-939D54E3A82F}: C:\Documents and Settings\DBowman\Local Settings\Application Data\{0757E78D-0408-4A51-B3DB-939D54E3A82F} [2010/09/03 09:26:49 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{E5B82655-C566-4FE6-9552-83824EBE5E02}: C:\Documents and Settings\admin2\Local Settings\Application Data\{E5B82655-C566-4FE6-9552-83824EBE5E02} [2010/09/07 14:40:19 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{379EEEC8-AC1A-4295-8C59-2C23DFA4109C}: C:\Documents and Settings\itshare\Local Settings\Application Data\{379EEEC8-AC1A-4295-8C59-2C23DFA4109C} [2010/09/22 17:12:56 | 000,000,000 | ---D | M]
    [2010/09/07 14:40:19 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ADMIN2\LOCAL SETTINGS\APPLICATION DATA\{E5B82655-C566-4FE6-9552-83824EBE5E02}
    [2010/09/03 09:26:49 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\DBOWMAN\LOCAL SETTINGS\APPLICATION DATA\{0757E78D-0408-4A51-B3DB-939D54E3A82F}
    [2010/09/22 17:12:56 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ITSHARE\LOCAL SETTINGS\APPLICATION DATA\{379EEEC8-AC1A-4295-8C59-2C23DFA4109C}
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users