Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS & Google keeps redirecting


  • This topic is locked This topic is locked
20 replies to this topic

#1 riskb

riskb

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 23 October 2011 - 09:35 AM

Good morning, I believe that my computor is infected with the Cloud virus. I`m locked out of Microsoft Security Essentials, unable to run it or update and am being re-directed to various websites. I`ve downloaded TDSSkiller and run it a few times. It finds two threats but is unable to remove them. I therefore cannot run Malwarebytes as I am being locked out. It is also stopping me from creating a GMER log. It scans but closes when finished not letting me save the log. Ive attached most of the GMER log by pressing copy as it scans before it closes. It really is a "Bleeping Computer" today. Thank you.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Run by Rick at 14:50:25 on 2011-10-23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.437 [GMT 1:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\3580860670:23564330.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uWinlogon: Shell=c:\documents and settings\rick\local settings\application data\fe986fd5\X
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe"
mRun: [CTStartup] c:\program files\creative\splash screen\CTEaxSpl.EXE /run
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [Syslog]
mRun: [Motive SmartBridge] c:\progra~1\btbroa~1\smartb~1\BTHelpNotifier.exe
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-explorer: <NO NAME> =
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {1B735B98-8010-11D5-AD0B-00500463D885} - hxxp://www.partsarena.co.uk/baxi/Plugins/IMIESRCH.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} - hxxp://casteruk.manheim.com/lib/LiveSound.dll
DPF: {36C17E9B-3354-11D1-95CF-0000B4530F04} - hxxp://www.partsarena.co.uk/baxi/Plugins/GFXVIEW.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106000023468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220600553437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://downloads.broadbandassist.com/BTYahoo!Help/PreQual/files/MotivePreQual.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{20BABC22-55B1-4FBB-8AFA-2521FB4F6B40} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rick\application data\mozilla\firefox\profiles\jede2t6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50ST7.EXE [2011-2-19 155648]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50RP7.EXE [2011-2-19 123904]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 MpKsl7c8e2c69;MpKsl7c8e2c69;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{76fce1b8-f570-4b36-b132-ffada0b692de}\mpksl7c8e2c69.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{76fce1b8-f570-4b36-b132-ffada0b692de}\MpKsl7c8e2c69.sys [?]
S1 MpKsl7c976458;MpKsl7c976458;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8b15260a-eccb-4db7-b322-5a7a3d5ccd1d}\mpksl7c976458.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8b15260a-eccb-4db7-b322-5a7a3d5ccd1d}\MpKsl7c976458.sys [?]
S1 MpKsla1e86245;MpKsla1e86245;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8cfbf510-ffbb-4ad6-945a-b7cf9b2b73a5}\mpksla1e86245.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8cfbf510-ffbb-4ad6-945a-b7cf9b2b73a5}\MpKsla1e86245.sys [?]
S1 MpKsldf15d818;MpKsldf15d818;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{66bace96-a3ff-4902-a681-7590a607f317}\mpksldf15d818.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{66bace96-a3ff-4902-a681-7590a607f317}\MpKsldf15d818.sys [?]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2009-8-27 238848]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2005-3-15 24197]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\pfc027.sys --> c:\windows\system32\drivers\pfc027.sys [?]
.
=============== Created Last 30 ================
.
2011-10-23 13:47:54 94896 ----a-w- c:\windows\system32\drivers\30729978.sys
2011-10-23 13:25:51 94896 ----a-w- c:\windows\system32\drivers\36599821.sys
2011-10-23 13:06:48 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-23 12:07:33 -------- d-----w- C:\4e5ad103b054a67c86913f63d6b563
2011-10-23 12:07:33 -------- d-----w- C:\30d1008ff53c50dbec
2011-10-23 12:05:26 48016 --sha-w- c:\windows\system32\c_54175.nl_
2011-10-23 11:11:40 -------- d-----w- c:\documents and settings\rick\local settings\application data\PCHealth
2011-10-23 08:15:37 -------- d-----w- c:\windows\system32\XPSViewer
2011-10-23 08:14:21 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-10-23 08:13:26 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-10-23 08:13:26 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-10-23 08:13:26 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-10-23 08:13:26 117760 ------w- c:\windows\system32\prntvpt.dll
2011-10-23 08:13:25 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-10-23 08:13:25 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-10-23 08:13:24 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-10-23 08:13:24 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-10-23 08:13:23 -------- d-----w- C:\1f27ee4e5fd3dee36580a9851c3c6f7a
2011-10-22 08:42:06 -------- d-----w- c:\documents and settings\rick\application data\ElevatedDiagnostics
2011-10-22 07:40:18 6668624 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-10-22 07:27:40 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{af84128b-7aae-4685-8872-4fcf1014f1f6}\offreg.dll
2011-10-22 07:27:11 7269712 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{af84128b-7aae-4685-8872-4fcf1014f1f6}\mpengine.dll
2011-10-21 21:06:36 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-21 20:17:34 -------- d-sh--w- c:\documents and settings\rick\local settings\application data\fe986fd5
2011-09-26 10:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
.
==================== Find3M ====================
.
2011-10-23 13:22:17 37760 ----a-w- c:\windows\system32\drivers\amdk7.sys
2011-10-23 13:14:57 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-10-23 12:51:55 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-23 07:30:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 14:52:04.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:06 AM

Posted 23 October 2011 - 11:06 AM

Hello,



  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 riskb

riskb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 23 October 2011 - 12:16 PM

Thank you for your prompt response.
Two reports copied and pasted as requested.

OTL logfile created on: 23/10/2011 17:56:40 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Rick\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.48 Mb Total Physical Memory | 265.95 Mb Available Physical Memory | 25.98% Memory free
2.41 Gb Paging File | 1.82 Gb Available in Paging File | 75.76% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 37.98 Gb Free Space | 33.17% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: Rick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\3580860670:23564330.exe
PRC - [2011/10/23 17:55:31 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/19 07:44:40 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2011/04/19 07:44:40 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2011/04/19 07:44:40 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2009/12/03 01:00:00 | 000,847,872 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
PRC - [2009/09/14 06:00:00 | 000,155,648 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
PRC - [2009/09/14 06:00:00 | 000,123,904 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
PRC - [2008/04/14 01:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/01/14 10:32:38 | 000,053,248 | ---- | M] () -- C:\WINDOWS\system32\PAStiSvc.exe
PRC - [2002/07/02 10:56:00 | 000,024,576 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE


========== Modules (No Company Name) ==========

MOD - [2011/05/28 22:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2008/06/20 17:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2005/01/14 10:32:38 | 000,053,248 | ---- | M] () -- C:\WINDOWS\system32\PAStiSvc.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] () [Auto | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/04/19 07:44:40 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011/04/19 07:44:40 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2009/12/17 17:36:24 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/09/14 06:00:00 | 000,155,648 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE -- (EPSON_EB_RPCV4_04) EPSON V5 Service4(04)
SRV - [2009/09/14 06:00:00 | 000,123,904 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE -- (EPSON_PM_RPCV4_04) EPSON V3 Service4(04)
SRV - [2005/11/11 17:21:22 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2005/01/14 10:32:38 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PAStiSvc.exe -- (STI Simulator)


========== Driver Services (SafeList) ==========

DRV - [2011/10/23 14:25:51 | 000,062,976 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\tsk4.tmp -- (Cdrom)
DRV - [2010/09/01 09:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2008/04/13 19:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/06/01 06:13:20 | 000,238,848 | R--- | M] (Belkin Corporation. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BLKWGU.sys -- (BELKIN)
DRV - [2005/02/03 11:52:54 | 000,024,197 | R--- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FTD2XX.sys -- (FTD2XX)
DRV - [2003/12/17 16:30:46 | 000,017,005 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002/07/24 06:52:26 | 000,998,004 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2002/07/19 03:48:32 | 000,156,604 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2002/07/19 03:48:22 | 000,213,860 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2002/07/19 03:48:08 | 000,011,068 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2002/07/19 03:48:04 | 000,195,432 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2002/07/19 03:47:52 | 000,837,548 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2002/07/19 03:46:28 | 000,127,948 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2002/05/10 14:31:48 | 000,633,220 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Intels51.sys -- (Intels51) Intel®
DRV - [2001/08/23 21:03:54 | 000,025,434 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139)
DRV - [2001/08/17 13:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [1999/12/17 02:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: linkfilter@kaspersky.ru:9.0.0.459
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/30 08:42:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/30 08:42:02 | 000,000,000 | ---D | M]

[2009/12/01 18:12:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Rick\Application Data\Mozilla\Extensions
[2008/09/04 21:54:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\jede2t6e.default\extensions
[2011/09/30 08:42:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/10 16:53:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{8545daff-ad1e-493f-a37e-eed1ac79682b}
[2010/05/02 23:03:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/03 07:51:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/02 23:16:31 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\LINKFILTER@KASPERSKY.RU
[2007/08/25 04:52:00 | 000,300,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/20 18:08:28 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/09/20 18:08:28 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/09/20 18:08:28 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/09/20 18:08:28 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/03/11 22:33:53 | 000,302,826 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 10437 more lines...
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe File not found
O4 - HKLM..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [FUFAXSTM] C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe File not found
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot File not found
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [Syslog] File not found
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [WINDVDPatch] C:\WINDOWS\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKCU..\Run: [Adobe Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html File not found
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html File not found
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} http://download.ewido.net/ewidoOnlineScan.cab (ewidoOnlineScan Control)
O16 - DPF: {1B735B98-8010-11D5-AD0B-00500463D885} http://www.partsarena.co.uk/baxi/Plugins/IMIESRCH.cab (SearchCD Control)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (Reg Error: Key error.)
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} http://casteruk.manheim.com/lib/LiveSound.dll (lgbplay Class)
O16 - DPF: {36C17E9B-3354-11D1-95CF-0000B4530F04} http://www.partsarena.co.uk/baxi/Plugins/GFXVIEW.cab (GrafixViewControl)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106000023468 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220600553437 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab (EPUImageControl Class)
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} http://downloads.broadbandassist.com/BTYahoo!Help/PreQual/files/MotivePreQual.cab (PreQualifier Class)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{20BABC22-55B1-4FBB-8AFA-2521FB4F6B40}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\Rick\Local Settings\Application Data\fe986fd5\X) -C:\Documents and Settings\Rick\Local Settings\Application Data\fe986fd5\X ()
O24 - Desktop WallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/17 21:56:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{6b081652-7d2f-11df-ba4c-0040f4880a25}\Shell - "" = AutoRun
O33 - MountPoints2\{6b081652-7d2f-11df-ba4c-0040f4880a25}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6b081652-7d2f-11df-ba4c-0040f4880a25}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/10/23 17:55:29 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2011/10/23 15:28:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick\Desktop\gmer
[2011/10/23 14:50:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2011/10/23 14:48:17 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Rick\Desktop\dds.scr
[2011/10/23 14:47:54 | 000,094,896 | ---- | C] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\30729978.sys
[2011/10/23 14:25:51 | 000,094,896 | ---- | C] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\36599821.sys
[2011/10/23 14:06:48 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/10/23 13:07:33 | 000,000,000 | ---D | C] -- C:\4e5ad103b054a67c86913f63d6b563
[2011/10/23 13:07:33 | 000,000,000 | ---D | C] -- C:\30d1008ff53c50dbec
[2011/10/23 12:11:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick\Local Settings\Application Data\PCHealth
[2011/10/23 09:15:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2011/10/23 09:15:23 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2011/10/23 09:14:54 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/10/23 09:13:23 | 000,000,000 | ---D | C] -- C:\1f27ee4e5fd3dee36580a9851c3c6f7a
[2011/10/22 09:42:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick\Application Data\ElevatedDiagnostics
[2011/10/22 09:19:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
[2011/10/22 09:19:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2011/10/22 09:09:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET
[2011/10/21 22:41:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/10/21 22:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2011/10/21 22:06:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/10/21 21:31:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/10/21 21:24:37 | 000,000,000 | RHSD | C] -- C:\WINDOWS\assembly
[2011/10/21 21:17:34 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Rick\Local Settings\Application Data\fe986fd5
[2011/10/10 19:15:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2011/09/28 16:49:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick\My Documents\fan
[2005/01/17 22:18:02 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/10/23 17:55:31 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2011/10/23 16:05:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/10/23 14:56:52 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Rick\Desktop\gmer.zip
[2011/10/23 14:48:19 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Rick\Desktop\dds.scr
[2011/10/23 14:47:54 | 000,094,896 | ---- | M] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\30729978.sys
[2011/10/23 14:46:34 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Rick\defogger_reenable
[2011/10/23 14:45:44 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Rick\Desktop\Defogger.exe
[2011/10/23 14:28:47 | 000,433,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/23 14:28:47 | 000,067,768 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/23 14:25:51 | 000,094,896 | ---- | M] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\36599821.sys
[2011/10/23 14:25:00 | 000,013,868 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/23 14:24:18 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3580860670
[2011/10/23 14:24:14 | 003,374,719 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-00000008-00001102-00000002-80651102}.CDF
[2011/10/23 14:24:14 | 003,374,719 | ---- | M] () -- C:\WINDOWS\{00000000-00000000-00000008-00001102-00000002-80651102}.BAK
[2011/10/23 14:24:13 | 000,048,016 | -HS- | M] () -- C:\WINDOWS\System32\c_54175.nl_
[2011/10/23 14:21:03 | 000,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000000-00000000-00000008-00001102-00000002-80651102}.rfx
[2011/10/23 14:21:03 | 000,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000000-00000000-00000008-00001102-00000002-80651102}.rfx
[2011/10/23 14:21:03 | 000,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000000-00000000-00000008-00001102-00000002-80651102}.rfx
[2011/10/23 14:21:03 | 000,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000000-00000000-00000008-00001102-00000002-80651102}.rfx
[2011/10/23 14:21:03 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2011/10/23 14:21:03 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2011/10/23 14:21:03 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-00000008-00001102-00000002-80651102}.dat
[2011/10/23 14:21:03 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-00000008-00001102-00000002-80651102}.dat
[2011/10/23 14:06:48 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/10/23 09:54:46 | 000,234,368 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/23 09:13:07 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A03EDEDB-B42A-4A2A-878A-882E468B7885}.job
[2011/10/22 08:24:12 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/10/21 21:24:32 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/10/19 21:14:05 | 000,236,355 | ---- | M] () -- C:\Documents and Settings\Rick\My Documents\CCW%20Cover%20Oct%2019.jpg
[2011/10/19 21:08:19 | 001,815,532 | ---- | M] () -- C:\Documents and Settings\Rick\My Documents\img110.jpg
[2011/10/18 18:19:11 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/10/12 05:50:59 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/10/05 10:09:48 | 048,324,552 | ---- | M] () -- C:\WINDOWS\System32\MRT.exe
[2011/09/29 12:42:54 | 000,000,010 | ---- | M] () -- C:\Documents and Settings\Rick\Application Data\local.lng.dat
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/23 14:56:52 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Rick\Desktop\gmer.zip
[2011/10/23 14:46:34 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rick\defogger_reenable
[2011/10/23 14:45:43 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Rick\Desktop\Defogger.exe
[2011/10/23 13:05:26 | 000,048,016 | -HS- | C] () -- C:\WINDOWS\System32\c_54175.nl_
[2011/10/22 08:23:37 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/10/21 21:24:32 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/10/21 21:17:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\3580860670
[2011/10/19 21:14:43 | 000,236,355 | ---- | C] () -- C:\Documents and Settings\Rick\My Documents\CCW%20Cover%20Oct%2019.jpg
[2011/10/19 21:08:04 | 001,815,532 | ---- | C] () -- C:\Documents and Settings\Rick\My Documents\img110.jpg
[2011/07/21 08:31:38 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
[2011/07/21 08:31:38 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
[2011/07/21 08:31:20 | 000,000,392 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
[2009/10/29 21:01:56 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/10/29 20:29:27 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\PAStiSvc.exe
[2008/09/03 13:29:53 | 000,000,058 | ---- | C] () -- C:\WINDOWS\CTACD.INI
[2008/06/20 06:12:20 | 000,001,160 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/06/17 07:58:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/04/26 18:03:45 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2008/04/11 17:42:04 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\Rick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/06/16 07:19:15 | 048,324,552 | ---- | C] () -- C:\WINDOWS\System32\MRT.exe
[2006/02/09 19:57:29 | 000,000,067 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/11/13 14:42:59 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Rick\Application Data\local.lng.dat
[2005/10/21 21:05:43 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/03/15 20:10:33 | 000,000,059 | R--- | C] () -- C:\WINDOWS\System32\FTD2XXUN.ini
[2005/01/25 16:15:42 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\PA207USD.DLL
[2005/01/18 18:31:09 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS4q.DLL
[2005/01/17 23:01:26 | 000,000,512 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2005/01/17 22:47:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/01/17 22:34:33 | 000,000,024 | ---- | C] () -- C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-00000008-00001102-00000002-80651102}.dat
[2005/01/17 22:34:33 | 000,000,024 | ---- | C] () -- C:\WINDOWS\System32\DVCState-{00000000-00000000-00000008-00001102-00000002-80651102}.dat
[2005/01/17 22:18:53 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2005/01/17 22:18:52 | 001,048,576 | ---- | C] () -- C:\WINDOWS\System32\SFMAN.DAT
[2005/01/17 22:18:09 | 000,037,727 | ---- | C] () -- C:\WINDOWS\System32\Emu10kx.ini
[2005/01/17 22:18:09 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2005/01/17 22:18:03 | 000,164,044 | ---- | C] () -- C:\WINDOWS\System32\ctdlang.dat
[2005/01/17 22:18:03 | 000,113,373 | ---- | C] () -- C:\WINDOWS\System32\ctbasicw.dat
[2005/01/17 22:18:03 | 000,113,273 | ---- | C] () -- C:\WINDOWS\System32\CTBAS2W.DAT
[2005/01/17 22:18:02 | 000,179,669 | ---- | C] () -- C:\WINDOWS\System32\ctstatic.dat
[2005/01/17 22:18:02 | 000,044,055 | ---- | C] () -- C:\WINDOWS\System32\ctdaught.dat
[2005/01/17 22:17:56 | 000,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2005/01/17 22:17:55 | 000,184,320 | ---- | C] () -- C:\WINDOWS\PSCONV.EXE
[2005/01/17 22:17:55 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\REGPLIB.EXE
[2005/01/17 22:17:37 | 000,000,307 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2005/01/17 22:03:46 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2005/01/17 22:01:44 | 000,000,017 | ---- | C] () -- C:\WINDOWS\System32\auto.ini
[2005/01/17 21:57:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/01/17 21:54:32 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/01/17 21:47:03 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/01/17 21:46:14 | 000,234,368 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 13:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 13:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 13:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 13:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 13:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 13:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 13:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 13:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 13:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 01:56:46 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/03/31 13:00:00 | 000,433,130 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/03/31 13:00:00 | 000,067,768 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/03/31 13:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/01/22 16:54:28 | 000,010,539 | ---- | C] () -- C:\WINDOWS\System32\NICFIND.EXE
[2001/07/25 12:00:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\HWINV.DLL
[2001/07/25 12:00:10 | 000,026,572 | ---- | C] () -- C:\WINDOWS\System32\INV16.DLL
[1999/01/22 19:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 09:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== LOP Check ==========

[2011/02/19 21:07:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2008/10/26 08:58:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2011/05/15 07:32:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
[2005/01/17 22:55:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2008/09/03 15:15:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/10/22 09:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\ElevatedDiagnostics
[2011/04/11 16:48:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Epson
[2005/11/10 17:12:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\GlobalSCAPE
[2011/10/18 22:28:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Spotify
[2011/10/23 16:05:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2011/10/23 09:13:07 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A03EDEDB-B42A-4A2A-878A-882E468B7885}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/05 08:03:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/05 08:03:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/05/12 22:00:31 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:AGP440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 07:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/05 08:03:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/05 08:03:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/05/12 22:00:31 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 13:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Files - Unicode (All) ==========
[2008/09/05 08:46:34 | 000,000,000 | -H-D | M](C:\WINDOWS\$Nt?ninstallKB951978$) -- C:\WINDOWS\$NtɕninstallKB951978$
[2008/09/05 08:46:32 | 000,000,000 | -H-D | C](C:\WINDOWS\$Nt?ninstallKB951978$) -- C:\WINDOWS\$NtɕninstallKB951978$

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB28338$] -> Error: Cannot create file handle -> Unknown point type

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\3580860670:23564330.exe
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >


OTL Extras logfile created on: 23/10/2011 17:56:40 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Rick\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1023.48 Mb Total Physical Memory | 265.95 Mb Available Physical Memory | 25.98% Memory free
2.41 Gb Paging File | 1.82 Gb Available in Paging File | 75.76% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.49 Gb Total Space | 37.98 Gb Free Space | 33.17% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: Rick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirstRunDisabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer
"C:\Program Files\Microsoft Office\Office\FRONTPG.EXE" = C:\Program Files\Microsoft Office\Office\FRONTPG.EXE:*:Enabled:Microsoft FrontPage -- (Microsoft Corporation)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Outlook Express\msimn.exe" = C:\Program Files\Outlook Express\msimn.exe:*:Enabled:Outlook Express -- (Microsoft Corporation)
"C:\Program Files\Microsoft Security Client\msseces.exe" = C:\Program Files\Microsoft Security Client\msseces.exe:*:Enabled:Microsoft Security Client User Interface -- (Microsoft Corporation)
"C:\WINDOWS\system32\msfeedssync.exe" = C:\WINDOWS\system32\msfeedssync.exe:*:Enabled:Microsoft Feeds Synchronization -- (Microsoft Corporation)
"C:\Documents and Settings\Rick\My Documents\Downloaded Programmes\MicrosoftFixit.WinSecurity.Run.exe" = C:\Documents and Settings\Rick\My Documents\Downloaded Programmes\MicrosoftFixit.WinSecurity.Run.exe:*:Enabled:Microsoft Fix it -- (Microsoft Corporation)
"C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\P9FNQA1V\MicrosoftFixit.WinSecurity.Run[1].exe" = C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\P9FNQA1V\MicrosoftFixit.WinSecurity.Run[1].exe:*:Enabled:Microsoft Fix it
"C:\WINDOWS\Temp\RunBoot-Temp_.85962e62-c6ec-4c3d-952e-f5de2931cbe2\MatsBoot.exe" = C:\WINDOWS\Temp\RunBoot-Temp_.85962e62-c6ec-4c3d-952e-f5de2931cbe2\MatsBoot.exe:*:Enabled:Microsoft Automated Troubleshooting Services BootStrapper
"C:\Documents and Settings\Rick\Local Settings\Temp\MATS-Temp\CABpzdfl5e1.emp\MATSWiz.exe" = C:\Documents and Settings\Rick\Local Settings\Temp\MATS-Temp\CABpzdfl5e1.emp\MATSWiz.exe:*:Enabled:Microsoft Automated Troubleshooting Services Wizard
"C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\M43RIM39\MicrosoftFixit.WindowsFirewall.Run[1].exe" = C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\M43RIM39\MicrosoftFixit.WindowsFirewall.Run[1].exe:*:Enabled:Microsoft Fix it
"C:\WINDOWS\Temp\RunBoot-Temp_.28e9d385-3c48-4f4a-ad2c-5806d30ac7cc\MatsBoot.exe" = C:\WINDOWS\Temp\RunBoot-Temp_.28e9d385-3c48-4f4a-ad2c-5806d30ac7cc\MatsBoot.exe:*:Enabled:Microsoft Automated Troubleshooting Services BootStrapper
"C:\Documents and Settings\Rick\Local Settings\Temp\MATS-Temp\CABpxijimjw.lsy\MATSWiz.exe" = C:\Documents and Settings\Rick\Local Settings\Temp\MATS-Temp\CABpxijimjw.lsy\MATSWiz.exe:*:Enabled:Microsoft Automated Troubleshooting Services Wizard
"C:\WINDOWS\Temp\RunBoot-Temp_.71a4a2ac-ba56-4c88-9e6a-f31b28082f32\MatsBoot.exe" = C:\WINDOWS\Temp\RunBoot-Temp_.71a4a2ac-ba56-4c88-9e6a-f31b28082f32\MatsBoot.exe:*:Enabled:Microsoft Automated Troubleshooting Services BootStrapper
"C:\WINDOWS\Temp\RunBoot-Temp_.223d4934-834c-4698-82d3-0c87b3bbd608\MatsBoot.exe" = C:\WINDOWS\Temp\RunBoot-Temp_.223d4934-834c-4698-82d3-0c87b3bbd608\MatsBoot.exe:*:Enabled:Microsoft Automated Troubleshooting Services BootStrapper
"C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\40SD99KM\MicrosoftFixit.malware.Run[1].exe" = C:\Documents and Settings\Rick\Local Settings\Temporary Internet Files\Content.IE5\40SD99KM\MicrosoftFixit.malware.Run[1].exe:*:Enabled:Microsoft Fix it -- (Microsoft Corporation)
"C:\WINDOWS\Temp\RunBoot-Temp_.889c59b3-14b4-4a97-89c3-97f84a978813\MatsBoot.exe" = C:\WINDOWS\Temp\RunBoot-Temp_.889c59b3-14b4-4a97-89c3-97f84a978813\MatsBoot.exe:*:Enabled:Microsoft Automated Troubleshooting Services BootStrapper
"C:\Documents and Settings\Rick\Local Settings\Temp\MATS-Temp\CABfuthqz4e.xq1\MATSWiz.exe" = C:\Documents and Settings\Rick\Local Settings\Temp\MATS-Temp\CABfuthqz4e.xq1\MATSWiz.exe:*:Enabled:Microsoft Automated Troubleshooting Services Wizard
"C:\f3c4a2d892dbc87bef1ccff1\setup.exe" = C:\f3c4a2d892dbc87bef1ccff1\setup.exe:*:Enabled:Suite Integration Toolkit Executable
"C:\Documents and Settings\Rick\Desktop\321.com" = C:\Documents and Settings\Rick\Desktop\321.com:*:Enabled:TDSS rootkit removing tool
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- ()
"C:\Documents and Settings\Rick\Desktop\virus removal\321.com" = C:\Documents and Settings\Rick\Desktop\virus removal\321.com:*:Enabled:TDSS rootkit removing tool -- (Kaspersky Lab ZAO)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}" = Macromedia Dreamweaver MX 2004
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}" = Epson FAX Utility
"{1CCBCF78-EF12-4137-B3CA-99F30A2E7D21}" = CuteFTP 7 Professional
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9115E7DB-3B29-445A-802D-11E0AA945B7F}" = Sound Blaster Live!
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.6
"{AEE9ABDF-CFFD-4CC2-8519-E8ECEB5A2AAF}" = PENTAX USB DISK Device
"{B76D4A7F-FF11-4420-947C-C3AD624B9DBA}" = Jasc Paint Shop Photo Album
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}" = Skype™ 5.3
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"AOpen Multimedia Utilities" = AOpen Multimedia Utilities
"CANONBJ_Deinstall_CNMCP4q.DLL" = Canon i9100
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dan Elwell's Broadband Speed Test_is1" = Dan Elwell's Broadband Speed Test
"DrayTek Router Tools V2.5.3_is1" = DrayTek Router Tools V2.5.3
"E-Mage for Web_is1" = E-Mage for Web v.1.2.1.34
"EPSON BX305 Series" = EPSON BX305 Series Printer Uninstall
"EPSON BX305 Series Manual" = EPSON BX305 Series Manual
"EPSON PC-FAX Driver 2" = Epson PC-FAX Driver
"EPSON Scanner" = EPSON Scan
"Express Thumbnail Creator_is1" = Express Thumbnail Creator 1.72
"HDD Health_is1" = HDD Health v3.3 Beta
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox (3.6.23)" = Mozilla Firefox (3.6.23)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoMark_is1" = PhotoMark 1.3
"Secunia PSI" = Secunia PSI (2.0.0.3003)
"ShareScope Gold 3.7" = ShareScope Gold 3.7
"Spotify" = Spotify
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR 4.01 (32-bit)
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 23/10/2011 06:31:23 | Computer Name = HOME | Source = MsiInstaller | ID = 1023
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 - Update 'KB2518864'
could not be installed. Error code 1603. Additional information is available in
the log file C:\DOCUME~1\Rick\LOCALS~1\Temp\Microsoft .NET Framework 2.0-KB2518864_20111023_102258125-Msi0.txt.

Error - 23/10/2011 06:31:24 | Computer Name = HOME | Source = HotFixInstaller | ID = 5000
Description = EventType visualstudio8setup, P1 microsoft .net framework 2.0-kb2518864,
P2 1033, P3 1603, P4 msi, P5 f, P6 9.0.40215.0, P7 install, P8 x86, P9 xp, P10
0.

Error - 23/10/2011 07:40:30 | Computer Name = HOME | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070005, P2 mpupdateengine, P3 am fe,
P4 10.3.1781.0, P5 mpsigstub.exe, P6 3.0.8402.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.

Error - 23/10/2011 07:51:20 | Computer Name = HOME | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070005, P2 mpupdateengine, P3 am fe,
P4 10.3.1781.0, P5 mpsigstub.exe, P6 3.0.8402.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.

Error - 23/10/2011 07:51:45 | Computer Name = HOME | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070005, P2 mpupdateengine, P3 nis full,
P4 10.3.1781.0, P5 mpsigstub.exe, P6 3.0.8402.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.

Error - 23/10/2011 08:07:33 | Computer Name = HOME | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070005, P2 mpupdateengine, P3 am fe,
P4 10.3.1781.0, P5 mpsigstub.exe, P6 3.0.8402.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.

Error - 23/10/2011 08:07:50 | Computer Name = HOME | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070020, P2 mpupdateengine, P3 nis full,
P4 10.3.1781.0, P5 mpsigstub.exe, P6 3.0.8402.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.

Error - 23/10/2011 08:24:09 | Computer Name = HOME | Source = Microsoft Security Client | ID = 5000
Description =

Error - 23/10/2011 08:26:18 | Computer Name = HOME | Source = Microsoft Security Client | ID = 5000
Description =

Error - 23/10/2011 10:40:14 | Computer Name = HOME | Source = Microsoft Security Client | ID = 5000
Description =

[ System Events ]
Error - 23/10/2011 09:24:34 | Computer Name = HOME | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 23/10/2011 10:40:12 | Computer Name = HOME | Source = Service Control Manager | ID = 7000
Description = The Microsoft Antimalware Service service failed to start due to the
following error: %%5

Error - 23/10/2011 13:02:09 | Computer Name = HOME | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 23/10/2011 13:02:10 | Computer Name = HOME | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 23/10/2011 13:02:12 | Computer Name = HOME | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 23/10/2011 13:02:13 | Computer Name = HOME | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 23/10/2011 13:02:57 | Computer Name = HOME | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 23/10/2011 13:02:58 | Computer Name = HOME | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 23/10/2011 13:02:59 | Computer Name = HOME | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 23/10/2011 13:03:01 | Computer Name = HOME | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:06 AM

Posted 23 October 2011 - 01:56 PM

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton or Microsoft Security Essentials.


If you decide to remove Norton here is a tool for removing it.

2.
Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\3580860670
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.


3.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Results.txt
TdssKiller log
Combofix.txt
How is your machine running now?

Edited by fireman4it, 23 October 2011 - 01:59 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 riskb

riskb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 23 October 2011 - 02:33 PM

Thank you for your help. I`ve seen that the log says that I am using Norton and Microsoft Security Essentials but it is wrong. I do not have Norton installed on my computer. It was removed over 5 years ago and does not appear in the programme list unde Add or remove Programmes.

DummyCreator by Farbar
Ran by Rick (administrator) on 23-10-2011 at 20:31:25
**************************************************************

C:\WINDOWS\3580860670 [23-10-2011 20:31:25]

== End of log ==

20:20:44.0656 2816 TDSS rootkit removing tool 2.6.12.0 Oct 21 2011 11:23:48
20:20:45.0593 2816 ============================================================
20:20:45.0593 2816 Current date / time: 2011/10/23 20:20:45.0593
20:20:45.0593 2816 SystemInfo:
20:20:45.0593 2816
20:20:45.0593 2816 OS Version: 5.1.2600 ServicePack: 3.0
20:20:45.0593 2816 Product type: Workstation
20:20:45.0609 2816 ComputerName: HOME
20:20:45.0609 2816 UserName: Rick
20:20:45.0609 2816 Windows directory: C:\WINDOWS
20:20:45.0609 2816 System windows directory: C:\WINDOWS
20:20:45.0609 2816 Processor architecture: Intel x86
20:20:45.0609 2816 Number of processors: 1
20:20:45.0609 2816 Page size: 0x1000
20:20:45.0609 2816 Boot type: Normal boot
20:20:45.0609 2816 ============================================================
20:20:45.0671 2816 Initialize success
20:20:55.0640 1448 ============================================================
20:20:55.0640 1448 Scan started
20:20:55.0640 1448 Mode: Manual;
20:20:55.0640 1448 ============================================================
20:21:05.0687 1448 40840192 (89fdba391985968401f51a5c577933cd) C:\WINDOWS\system32\drivers\36599821.sys
20:21:06.0093 1448 55597994 (89fdba391985968401f51a5c577933cd) C:\WINDOWS\system32\drivers\30729978.sys
20:21:06.0140 1448 55597994 - ok
20:21:06.0437 1448 Abiosdsk - ok
20:21:06.0750 1448 abp480n5 - ok
20:21:07.0171 1448 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:21:07.0234 1448 ACPI - ok
20:21:07.0578 1448 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:21:07.0593 1448 ACPIEC - ok
20:21:07.0906 1448 adpu160m - ok
20:21:08.0281 1448 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:21:08.0343 1448 aec - ok
20:21:08.0734 1448 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:21:08.0796 1448 AFD - ok
20:21:09.0093 1448 Aha154x - ok
20:21:09.0390 1448 aic78u2 - ok
20:21:09.0718 1448 aic78xx - ok
20:21:10.0062 1448 AliIde - ok
20:21:10.0406 1448 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
20:21:10.0421 1448 AmdK7 - ok
20:21:10.0718 1448 amsint - ok
20:21:11.0031 1448 asc - ok
20:21:11.0328 1448 asc3350p - ok
20:21:11.0640 1448 asc3550 - ok
20:21:12.0015 1448 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
20:21:12.0031 1448 Aspi32 - ok
20:21:12.0390 1448 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:21:12.0390 1448 AsyncMac - ok
20:21:12.0734 1448 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:12.0781 1448 atapi - ok
20:21:13.0078 1448 Atdisk - ok
20:21:13.0437 1448 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:21:13.0468 1448 Atmarpc - ok
20:21:13.0828 1448 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:21:13.0828 1448 audstub - ok
20:21:14.0171 1448 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:21:14.0187 1448 Beep - ok
20:21:14.0609 1448 BELKIN (218cf47c3c6fd72be1eae51b426ca99d) C:\WINDOWS\system32\DRIVERS\BLKWGU.sys
20:21:14.0734 1448 BELKIN - ok
20:21:15.0312 1448 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:21:15.0421 1448 cbidf2k - ok
20:21:15.0796 1448 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:21:15.0812 1448 CCDECODE - ok
20:21:16.0109 1448 cd20xrnt - ok
20:21:16.0437 1448 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:21:16.0453 1448 Cdaudio - ok
20:21:16.0812 1448 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:21:16.0828 1448 Cdfs - ok
20:21:17.0203 1448 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\drivers\tsk4.tmp
20:21:17.0203 1448 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\tsk4.tmp. md5: 1f4260cc5b42272d71f79e570a27a4fe
20:21:17.0515 1448 Changer - ok
20:21:17.0921 1448 CmdIde - ok
20:21:18.0250 1448 Cpqarray - ok
20:21:18.0656 1448 ctac32k (4b6096745f72b4fd36514617e2ea5d37) C:\WINDOWS\system32\drivers\ctac32k.sys
20:21:18.0718 1448 ctac32k - ok
20:21:19.0359 1448 ctaud2k (3576ec792347ed15699f6d830e0f5437) C:\WINDOWS\system32\drivers\ctaud2k.sys
20:21:19.0687 1448 ctaud2k - ok
20:21:20.0015 1448 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
20:21:20.0015 1448 ctljystk - ok
20:21:20.0328 1448 ctprxy2k (097d42574e3c6d98cd5a2ee7647fa6bf) C:\WINDOWS\system32\drivers\ctprxy2k.sys
20:21:20.0328 1448 ctprxy2k - ok
20:21:20.0734 1448 ctsfm2k (c58a2507ef62b20b9bd670c666088b50) C:\WINDOWS\system32\drivers\ctsfm2k.sys
20:21:20.0812 1448 ctsfm2k - ok
20:21:21.0093 1448 dac2w2k - ok
20:21:21.0406 1448 dac960nt - ok
20:21:21.0765 1448 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:21.0781 1448 Disk - ok
20:21:22.0406 1448 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:21:22.0718 1448 dmboot - ok
20:21:23.0109 1448 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:21:23.0187 1448 dmio - ok
20:21:23.0515 1448 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:21:23.0531 1448 dmload - ok
20:21:23.0875 1448 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:21:23.0906 1448 DMusic - ok
20:21:24.0234 1448 dpti2o - ok
20:21:24.0546 1448 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:21:24.0546 1448 drmkaud - ok
20:21:25.0000 1448 emupia (a9d94b89372f3f9609a1a5eec631a260) C:\WINDOWS\system32\drivers\emupia2k.sys
20:21:25.0046 1448 emupia - ok
20:21:25.0500 1448 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:21:25.0562 1448 Fastfat - ok
20:21:25.0906 1448 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:21:25.0906 1448 Fdc - ok
20:21:26.0046 1448 fe986fd5 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\3580860670:23564330.exe
20:21:26.0312 1448 Suspicious file (Hidden): C:\WINDOWS\3580860670:23564330.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
20:21:26.0312 1448 fe986fd5 ( Rootkit.Win32.PMax.gen ) - infected
20:21:26.0312 1448 fe986fd5 - detected Rootkit.Win32.PMax.gen (0)
20:21:26.0671 1448 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:21:26.0703 1448 Fips - ok
20:21:27.0015 1448 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:21:27.0031 1448 Flpydisk - ok
20:21:27.0375 1448 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:21:27.0421 1448 FltMgr - ok
20:21:27.0765 1448 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:21:27.0765 1448 Fs_Rec - ok
20:21:28.0109 1448 FTD2XX (b907d2b20db2f6392995f5379e2a9666) C:\WINDOWS\system32\Drivers\FTD2XX.sys
20:21:28.0125 1448 FTD2XX - ok
20:21:28.0468 1448 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:21:28.0515 1448 Ftdisk - ok
20:21:28.0828 1448 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
20:21:28.0843 1448 gameenum - ok
20:21:29.0203 1448 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:21:29.0218 1448 Gpc - ok
20:21:29.0968 1448 ha10kx2k (dc9847cdc43665ed4cc780947516209c) C:\WINDOWS\system32\drivers\ha10kx2k.sys
20:21:30.0375 1448 ha10kx2k - ok
20:21:30.0718 1448 hpn - ok
20:21:31.0171 1448 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:21:31.0265 1448 HTTP - ok
20:21:31.0609 1448 i2omgmt - ok
20:21:31.0921 1448 i2omp - ok
20:21:32.0281 1448 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:21:32.0296 1448 i8042prt - ok
20:21:32.0640 1448 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:21:32.0656 1448 Imapi - ok
20:21:33.0015 1448 ini910u - ok
20:21:33.0328 1448 IntelIde - ok
20:21:33.0906 1448 Intels51 (eb6d8e9cd813596b6d59d878337a4998) C:\WINDOWS\system32\DRIVERS\Intels51.sys
20:21:34.0156 1448 Intels51 - ok
20:21:34.0484 1448 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:21:34.0500 1448 ip6fw - ok
20:21:34.0828 1448 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:21:34.0843 1448 IpFilterDriver - ok
20:21:35.0203 1448 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:21:35.0203 1448 IpInIp - ok
20:21:35.0562 1448 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:21:35.0625 1448 IpNat - ok
20:21:35.0984 1448 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:21:36.0015 1448 IPSec - ok
20:21:36.0343 1448 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:21:36.0343 1448 IRENUM - ok
20:21:36.0687 1448 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:21:36.0703 1448 isapnp - ok
20:21:37.0031 1448 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:21:37.0046 1448 Kbdclass - ok
20:21:37.0421 1448 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:21:37.0484 1448 kmixer - ok
20:21:37.0828 1448 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:21:37.0875 1448 KSecDD - ok
20:21:38.0187 1448 Lbd - ok
20:21:38.0500 1448 lbrtfdc - ok
20:21:38.0875 1448 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:21:38.0890 1448 mnmdd - ok
20:21:39.0234 1448 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:21:39.0250 1448 Modem - ok
20:21:39.0593 1448 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
20:21:39.0609 1448 MODEMCSA - ok
20:21:39.0953 1448 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:21:39.0984 1448 Mouclass - ok
20:21:40.0312 1448 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:21:40.0328 1448 MountMgr - ok
20:21:40.0765 1448 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
20:21:40.0828 1448 MpFilter - ok
20:21:40.0953 1448 MpKsl7c8e2c69 - ok
20:21:40.0984 1448 MpKsl7c976458 - ok
20:21:41.0031 1448 MpKsla1e86245 - ok
20:21:41.0078 1448 MpKsldf15d818 - ok
20:21:41.0406 1448 mraid35x - ok
20:21:41.0468 1448 MRENDIS5 - ok
20:21:41.0875 1448 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:21:41.0953 1448 MRxDAV - ok
20:21:42.0453 1448 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:21:42.0640 1448 MRxSmb - ok
20:21:42.0984 1448 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:21:43.0000 1448 Msfs - ok
20:21:43.0562 1448 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:21:43.0640 1448 MSKSSRV - ok
20:21:43.0984 1448 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:21:43.0984 1448 MSPCLOCK - ok
20:21:44.0359 1448 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:21:44.0453 1448 MSPQM - ok
20:21:45.0062 1448 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:21:45.0078 1448 mssmbios - ok
20:21:45.0390 1448 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
20:21:45.0390 1448 MSTEE - ok
20:21:45.0781 1448 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:21:45.0828 1448 Mup - ok
20:21:46.0296 1448 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:21:46.0343 1448 NABTSFEC - ok
20:21:46.0796 1448 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:21:46.0906 1448 NDIS - ok
20:21:47.0234 1448 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:21:47.0250 1448 NdisIP - ok
20:21:47.0578 1448 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:21:47.0578 1448 NdisTapi - ok
20:21:48.0078 1448 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:21:48.0093 1448 Ndisuio - ok
20:21:48.0453 1448 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:21:48.0500 1448 NdisWan - ok
20:21:48.0843 1448 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:21:48.0859 1448 NDProxy - ok
20:21:49.0203 1448 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:21:49.0218 1448 NetBIOS - ok
20:21:49.0593 1448 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:21:49.0656 1448 NetBT - ok
20:21:50.0000 1448 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:21:50.0015 1448 Npfs - ok
20:21:50.0562 1448 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:21:51.0000 1448 Ntfs - ok
20:21:51.0343 1448 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:21:51.0343 1448 Null - ok
20:21:52.0593 1448 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:21:53.0484 1448 nv - ok
20:21:53.0812 1448 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:21:53.0828 1448 NwlnkFlt - ok
20:21:54.0156 1448 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:21:54.0171 1448 NwlnkFwd - ok
20:21:54.0562 1448 ossrv (f29184bdc81c398b6027a67ff6a19895) C:\WINDOWS\system32\drivers\ctoss2k.sys
20:21:54.0640 1448 ossrv - ok
20:21:54.0937 1448 PAC207 - ok
20:21:55.0328 1448 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:21:55.0359 1448 Parport - ok
20:21:55.0671 1448 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:21:55.0703 1448 PartMgr - ok
20:21:56.0031 1448 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:21:56.0031 1448 ParVdm - ok
20:21:56.0390 1448 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:21:56.0421 1448 PCI - ok
20:21:56.0781 1448 PCIDump - ok
20:21:57.0078 1448 PCIIde - ok
20:21:57.0421 1448 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:21:57.0468 1448 Pcmcia - ok
20:21:57.0765 1448 PDCOMP - ok
20:21:58.0171 1448 PDFRAME - ok
20:21:58.0468 1448 PDRELI - ok
20:21:58.0765 1448 PDRFRAME - ok
20:21:59.0062 1448 perc2 - ok
20:21:59.0359 1448 perc2hib - ok
20:21:59.0640 1448 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\system32\PfModNT.sys
20:21:59.0812 1448 PfModNT - ok
20:22:00.0156 1448 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:22:00.0171 1448 PptpMiniport - ok
20:22:00.0546 1448 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:22:00.0578 1448 PSched - ok
20:22:01.0093 1448 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
20:22:01.0109 1448 PSI - ok
20:22:01.0578 1448 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:22:01.0578 1448 Ptilink - ok
20:22:02.0390 1448 ql1080 - ok
20:22:02.0687 1448 Ql10wnt - ok
20:22:03.0062 1448 ql12160 - ok
20:22:03.0359 1448 ql1240 - ok
20:22:03.0656 1448 ql1280 - ok
20:22:04.0046 1448 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:22:04.0046 1448 RasAcd - ok
20:22:04.0406 1448 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:22:04.0421 1448 Rasl2tp - ok
20:22:04.0750 1448 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:22:04.0765 1448 RasPppoe - ok
20:22:05.0093 1448 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:22:05.0093 1448 Raspti - ok
20:22:05.0500 1448 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:22:05.0578 1448 Rdbss - ok
20:22:05.0875 1448 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:22:05.0875 1448 RDPCDD - ok
20:22:06.0250 1448 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:22:06.0312 1448 RDPWD - ok
20:22:06.0656 1448 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:22:06.0671 1448 redbook - ok
20:22:07.0015 1448 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
20:22:07.0031 1448 ROOTMODEM - ok
20:22:07.0375 1448 rtl8139 (8be348f9aeeb4da0005b7f500f46f6ad) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
20:22:07.0390 1448 rtl8139 - ok
20:22:07.0781 1448 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:22:07.0781 1448 Secdrv - ok
20:22:08.0562 1448 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:22:08.0562 1448 serenum - ok
20:22:09.0031 1448 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:22:09.0046 1448 Serial - ok
20:22:09.0484 1448 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:22:09.0500 1448 Sfloppy - ok
20:22:09.0812 1448 Simbad - ok
20:22:10.0125 1448 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:22:10.0140 1448 SLIP - ok
20:22:10.0453 1448 Sparrow - ok
20:22:10.0890 1448 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:22:10.0890 1448 splitter - ok
20:22:11.0250 1448 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:22:11.0281 1448 sr - ok
20:22:11.0921 1448 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:22:12.0062 1448 Srv - ok
20:22:12.0468 1448 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:22:12.0484 1448 streamip - ok
20:22:12.0796 1448 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:22:12.0796 1448 swenum - ok
20:22:13.0343 1448 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:22:13.0359 1448 swmidi - ok
20:22:13.0656 1448 symc810 - ok
20:22:13.0953 1448 symc8xx - ok
20:22:14.0453 1448 sym_hi - ok
20:22:14.0765 1448 sym_u3 - ok
20:22:15.0343 1448 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:22:15.0453 1448 sysaudio - ok
20:22:16.0171 1448 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:22:16.0328 1448 Tcpip - ok
20:22:16.0718 1448 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:22:16.0734 1448 TDPIPE - ok
20:22:17.0078 1448 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:22:17.0093 1448 TDTCP - ok
20:22:17.0453 1448 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:22:17.0468 1448 TermDD - ok
20:22:17.0796 1448 TosIde - ok
20:22:18.0265 1448 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:22:18.0296 1448 Udfs - ok
20:22:18.0671 1448 ultra - ok
20:22:19.0250 1448 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:22:19.0421 1448 Update - ok
20:22:19.0812 1448 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:22:19.0843 1448 usbccgp - ok
20:22:20.0265 1448 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:22:20.0281 1448 usbehci - ok
20:22:20.0703 1448 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:22:20.0718 1448 usbhub - ok
20:22:21.0062 1448 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:22:21.0078 1448 usbprint - ok
20:22:21.0421 1448 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:22:21.0421 1448 usbscan - ok
20:22:21.0781 1448 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:22:21.0781 1448 USBSTOR - ok
20:22:22.0125 1448 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:22:22.0140 1448 usbuhci - ok
20:22:22.0515 1448 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
20:22:22.0640 1448 usbvideo - ok
20:22:23.0109 1448 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:22:23.0125 1448 VgaSave - ok
20:22:23.0734 1448 viaagp1 - ok
20:22:24.0750 1448 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:22:24.0750 1448 ViaIde - ok
20:22:25.0078 1448 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:22:25.0109 1448 VolSnap - ok
20:22:25.0437 1448 vulfnths (16409c468ceee99b6b129fcaa5c0f206) C:\WINDOWS\System32\Drivers\vulfnth.sys
20:22:25.0453 1448 vulfnths - ok
20:22:25.0828 1448 vulfntrs (e76fb35e30fb885124479a4a0aca3923) C:\WINDOWS\System32\Drivers\vulfntr.sys
20:22:25.0828 1448 vulfntrs - ok
20:22:26.0203 1448 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:22:26.0218 1448 Wanarp - ok
20:22:26.0546 1448 WDICA - ok
20:22:26.0890 1448 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:22:26.0921 1448 wdmaud - ok
20:22:26.0968 1448 WINIO - ok
20:22:27.0437 1448 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:22:27.0453 1448 WSTCODEC - ok
20:22:27.0812 1448 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:22:27.0859 1448 WudfPf - ok
20:22:27.0968 1448 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:22:28.0187 1448 \Device\Harddisk0\DR0 - ok
20:22:28.0218 1448 Boot (0x1200) (67a246577f716f55b55fca261f432905) \Device\Harddisk0\DR0\Partition0
20:22:28.0218 1448 \Device\Harddisk0\DR0\Partition0 - ok
20:22:28.0234 1448 ============================================================
20:22:28.0234 1448 Scan finished
20:22:28.0234 1448 ============================================================
20:22:28.0265 0236 Detected object count: 1
20:22:28.0265 0236 Actual detected object count: 1
20:22:36.0609 0236 HKLM\SYSTEM\ControlSet001\services\fe986fd5 - will be deleted on reboot
20:22:36.0609 0236 HKLM\SYSTEM\ControlSet003\services\fe986fd5 - will be deleted on reboot
20:22:36.0609 0236 C:\WINDOWS\3580860670:23564330.exe - will be deleted on reboot
20:22:36.0609 0236 fe986fd5 ( Rootkit.Win32.PMax.gen ) - User select action: Delete

I am having to reboot so I`ll download and run combofix when it restarts.

#6 riskb

riskb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 23 October 2011 - 03:23 PM

I cannot run ComboFix as it is telling me to close both Norton and Security Essentials. I cannot get access to Security Essentails as the virus is blocking me. I can remove it completely but cannot remove Norton (Symantec) as it is not in the list of progeammes. Should I run Combo Fix even though it is warning me.

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:06 AM

Posted 23 October 2011 - 04:44 PM

Should I run Combo Fix even though it is warning me.


Yes go ahead and run it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 riskb

riskb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 23 October 2011 - 06:18 PM

ComboFix 11-10-23.02 - Rick 23/10/2011 23:19:18.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.691 [GMT 1:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk
c:\documents and settings\Rick\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\program files\msn\msncorefiles\custdial.dll
c:\program files\msn\msncorefiles\logonmgr.dll
c:\windows\$NtUninstallKB28338$
c:\windows\$NtUninstallKB28338$\2882558330
c:\windows\$NtUninstallKB28338$\4271402965\@
c:\windows\$NtUninstallKB28338$\4271402965\L\jagiexyo
c:\windows\$NtUninstallKB28338$\4271402965\loader.tlb
c:\windows\$NtUninstallKB28338$\4271402965\U\@00000001
c:\windows\$NtUninstallKB28338$\4271402965\U\@000000c0
c:\windows\$NtUninstallKB28338$\4271402965\U\@000000cb
c:\windows\$NtUninstallKB28338$\4271402965\U\@000000cf
c:\windows\$NtUninstallKB28338$\4271402965\U\@80000000
c:\windows\$NtUninstallKB28338$\4271402965\U\@800000c0
c:\windows\$NtUninstallKB28338$\4271402965\U\@800000cb
c:\windows\$NtUninstallKB28338$\4271402965\U\@800000cf
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\3580860670
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\DOWNLO~1\EWIDoo~1.dll
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\system32\
c:\windows\system32\Data
c:\windows\system32\Data\CT0060W.DAT
c:\windows\system32\Data\CTP0060W.DAT
c:\windows\system32\Data\CTP0061W.DAT
c:\windows\system32\Data\CTP0070W.DAT
c:\windows\system32\Data\CTP0073W.DAT
c:\windows\system32\Data\CTP0090W.DAT
c:\windows\system32\Data\CTP0091W.DAT
c:\windows\system32\Data\CTP0092W.DAT
c:\windows\system32\Data\CTP0095W.DAT
c:\windows\system32\Data\CTP0100W.DAT
c:\windows\system32\Data\CTP0101W.DAT
c:\windows\system32\Data\CTP0102W.DAT
c:\windows\system32\Data\CTP0103W.DAT
c:\windows\system32\Data\CTP0105W.DAT
c:\windows\system32\Data\CTP0161W.DAT
c:\windows\system32\Data\CTP0162W.DAT
c:\windows\system32\Data\CTP0191W.DAT
c:\windows\system32\Data\CTP0192W.DAT
c:\windows\system32\Data\CTP0221W.DAT
c:\windows\system32\Data\CTP0222W.DAT
c:\windows\system32\Data\CTP0230W.DAT
c:\windows\system32\Data\CTP0231W.DAT
c:\windows\system32\Data\CTP0232W.DAT
c:\windows\system32\Data\CTP0238W.DAT
c:\windows\system32\Data\CTP1140W.DAT
c:\windows\system32\Data\CTP4620W.DAT
c:\windows\system32\Data\CTP4670W.DAT
c:\windows\system32\Data\CTP4760W.DAT
c:\windows\system32\Data\CTP4780W.DAT
c:\windows\system32\Data\CTP4790W.DAT
c:\windows\system32\Data\CTP4820W.DAT
c:\windows\system32\Data\CTP4830W.DAT
c:\windows\system32\Data\CTP4831W.DAT
c:\windows\system32\Data\CTP4832W.DAT
c:\windows\system32\Data\CTP4840W.DAT
c:\windows\system32\Data\CTP4850W.DAT
c:\windows\system32\Data\CTP4870W.DAT
c:\windows\system32\Data\CTP4871W.DAT
c:\windows\system32\Data\CTP4872W.DAT
c:\windows\system32\Data\CTP4890W.DAT
c:\windows\system32\Data\CTP4891W.DAT
c:\windows\system32\Data\CTP4893W.DAT
c:\windows\system32\Data\CTPDXW.DAT
c:\windows\system32\Data\CTPM002W.DAT
c:\windows\system32\Data\CTSBAS2W.DAT
c:\windows\system32\Data\CTSBASW.DAT
c:\windows\system32\ie.ico
c:\windows\system32\open.ico
c:\windows\system32\regobj.dll
c:\windows\tsoc.log
.
.
((((((((((((((((((((((((( Files Created from 2011-09-23 to 2011-10-23 )))))))))))))))))))))))))))))))
.
.
2011-10-23 23:03 . 2011-10-23 23:03 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EDECADBD-7E4D-41FD-98E4-243878A177F2}\offreg.dll
2011-10-23 21:13 . 2008-04-13 18:40 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-10-23 21:13 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-23 20:49 . 2011-09-12 15:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-23 20:47 . 2011-10-06 19:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EDECADBD-7E4D-41FD-98E4-243878A177F2}\mpengine.dll
2011-10-23 19:53 . 2011-10-23 19:53 57600 ----a-w- c:\windows\system32\drivers\tsk2.tmp
2011-10-23 13:06 . 2011-10-23 13:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-23 12:07 . 2011-10-23 12:07 -------- d-----w- C:\30d1008ff53c50dbec
2011-10-23 12:07 . 2011-10-23 12:07 -------- d-----w- C:\4e5ad103b054a67c86913f63d6b563
2011-10-23 11:11 . 2011-10-23 11:11 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PCHealth
2011-10-23 08:15 . 2011-10-23 08:15 -------- d-----w- c:\windows\system32\XPSViewer
2011-10-23 08:15 . 2011-10-23 08:15 -------- d-----w- c:\program files\MSBuild
2011-10-23 08:14 . 2011-10-23 08:14 -------- d-----w- c:\program files\Reference Assemblies
2011-10-23 08:14 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-10-23 08:13 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-10-23 08:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-10-23 08:13 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-10-23 08:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-10-23 08:13 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-10-23 08:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-10-23 08:13 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-10-23 08:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-10-23 08:13 . 2011-10-23 08:14 -------- d-----w- C:\1f27ee4e5fd3dee36580a9851c3c6f7a
2011-10-22 08:42 . 2011-10-22 08:42 -------- d-----w- c:\documents and settings\Rick\Application Data\ElevatedDiagnostics
2011-10-21 21:41 . 2011-10-21 21:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData
2011-10-21 21:41 . 2011-10-21 21:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-10-21 21:41 . 2011-10-21 21:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-21 21:07 . 2011-10-21 21:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-10-21 21:06 . 2011-10-23 20:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-21 20:17 . 2011-10-23 21:33 -------- d-sh--w- c:\documents and settings\Rick\Local Settings\Application Data\fe986fd5
2011-09-26 10:41 . 2011-09-26 10:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-23 19:46 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-23 19:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-23 13:22 . 2004-08-03 22:59 37760 ----a-w- c:\windows\system32\drivers\amdk7.sys
2011-10-23 13:14 . 2004-08-04 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-10-23 12:51 . 2004-08-04 12:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-26 10:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-23 07:30 . 2011-05-17 05:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 16:00 . 2011-07-21 14:45 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2007-08-25 03:52 . 2008-06-17 06:57 300400 -c--a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\FRONTPG.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Microsoft Security Client\\msseces.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Documents and Settings\\Rick\\My Documents\\Downloaded Programmes\\MicrosoftFixit.WinSecurity.Run.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Rick\\Desktop\\virus removal\\321.com"=
.
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [19/02/2011 21:07 153408]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [19/02/2011 21:07 121552]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [19/04/2011 07:44 986808]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [19/04/2011 07:44 392640]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 09:30 15544]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 MpKsl7c8e2c69;MpKsl7c8e2c69;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76FCE1B8-F570-4B36-B132-FFADA0B692DE}\MpKsl7c8e2c69.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76FCE1B8-F570-4B36-B132-FFADA0B692DE}\MpKsl7c8e2c69.sys [?]
S1 MpKsl7c976458;MpKsl7c976458;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B15260A-ECCB-4DB7-B322-5A7A3D5CCD1D}\MpKsl7c976458.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8B15260A-ECCB-4DB7-B322-5A7A3D5CCD1D}\MpKsl7c976458.sys [?]
S1 MpKsla1e86245;MpKsla1e86245;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8CFBF510-FFBB-4AD6-945A-B7CF9B2B73A5}\MpKsla1e86245.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8CFBF510-FFBB-4AD6-945A-B7CF9B2B73A5}\MpKsla1e86245.sys [?]
S1 MpKsldf15d818;MpKsldf15d818;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66BACE96-A3FF-4902-A681-7590A607F317}\MpKsldf15d818.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{66BACE96-A3FF-4902-A681-7590A607F317}\MpKsldf15d818.sys [?]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [27/08/2009 10:42 238848]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [15/03/2005 20:10 24197]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\DRIVERS\pfc027.sys --> c:\windows\system32\DRIVERS\pfc027.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2011-10-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2011-10-23 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2011-10-23 c:\windows\Tasks\User_Feed_Synchronization-{A03EDEDB-B42A-4A2A-878A-882E468B7885}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\jede2t6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Adobe Acrobat Synchronizer - c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe
HKLM-Run-Syslog - (no file)
HKLM-Run-Motive SmartBridge - c:\progra~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
HKLM-Run-btbb_wcm_McciTrayApp - c:\program files\btbb_wcm\McciTrayApp.exe
HKLM-Run-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
SafeBoot-40840192.sys
SafeBoot-46102136.sys
SafeBoot-46612158.sys
SafeBoot-52363720.sys
SafeBoot-55597994.sys
SafeBoot-66417861.sys
SafeBoot-72240464.sys
SafeBoot-85108843.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-24 00:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h???\????????\?w? ?w???????w???w4???????.??w4???????4????>?s4????????&3?????\??? ??? ???\???\???????????5?B~e?B~\???\?????????_??????C@?\???\???$??s????\??????s\????&3?5??s?&3??C@?x???`|?w\?????@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\drivers\tsk2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-606747145-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1935655697-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*J*P*G \OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(196)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\System32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2011-10-24 00:14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-23 23:14
.
Pre-Run: 40,546,115,584 bytes free
Post-Run: 41,243,750,400 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
.
- - End Of File - - ED02047D7CD6B109ED92FFFD33D6337D

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:06 AM

Posted 23 October 2011 - 06:49 PM

Hello,

Looks like we got the main culprit. We have a little more work to do though.



1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\drivers\tsk2.tmp

Folder::
c:\documents and settings\Rick\Local Settings\Application Data\fe986fd5

ClearJavaCache:: 

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="c:\windows\system32\DRIVERS\redbook.sys"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Driver::
MpKsldf15d818
MpKsla1e86245
MpKsl7c976458
MpKsl7c8e2c69
Lbd
PAC207

SecCenter::
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

Things to include in your next reply::
Combofix.txt
MBAM log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 riskb

riskb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 24 October 2011 - 04:35 AM

Good morning again, hope you are well today. Both files pasted below as requested.

It seems to be running fine. I`ll be using it a lot today so I`ll see how it goes.

ComboFix 11-10-24.01 - Rick 24/10/2011 8:59.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.547 [GMT 1:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rick\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\drivers\tsk2.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rick\Local Settings\Application Data\fe986fd5
c:\documents and settings\Rick\Local Settings\Application Data\fe986fd5\@
c:\windows\system32\drivers\tsk2.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_LBD
-------\Legacy_MPKSL7C8E2C69
-------\Legacy_MPKSL7C976458
-------\Legacy_MPKSLA1E86245
-------\Legacy_MPKSLDF15D818
-------\Service_Lbd
-------\Service_MpKsl7c8e2c69
-------\Service_MpKsl7c976458
-------\Service_MpKsla1e86245
-------\Service_MpKsldf15d818
-------\Service_PAC207
.
.
((((((((((((((((((((((((( Files Created from 2011-09-24 to 2011-10-24 )))))))))))))))))))))))))))))))
.
.
2011-10-24 08:30 . 2011-10-24 08:30 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FE5B9DF-B8B9-4A05-A2EB-F098A041A38C}\offreg.dll
2011-10-23 23:32 . 2011-10-23 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-23 23:32 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-23 23:21 . 2011-10-06 19:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FE5B9DF-B8B9-4A05-A2EB-F098A041A38C}\mpengine.dll
2011-10-23 21:13 . 2008-04-13 18:40 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-10-23 21:13 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-23 20:49 . 2011-10-06 19:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-23 12:07 . 2011-10-23 12:07 -------- d-----w- C:\30d1008ff53c50dbec
2011-10-23 12:07 . 2011-10-23 12:07 -------- d-----w- C:\4e5ad103b054a67c86913f63d6b563
2011-10-23 11:11 . 2011-10-23 11:11 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\PCHealth
2011-10-23 08:15 . 2011-10-23 08:15 -------- d-----w- c:\windows\system32\XPSViewer
2011-10-23 08:15 . 2011-10-23 08:15 -------- d-----w- c:\program files\MSBuild
2011-10-23 08:14 . 2011-10-23 08:14 -------- d-----w- c:\program files\Reference Assemblies
2011-10-23 08:14 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-10-23 08:13 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-10-23 08:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-10-23 08:13 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-10-23 08:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-10-23 08:13 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-10-23 08:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-10-23 08:13 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-10-23 08:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-10-23 08:13 . 2011-10-23 08:14 -------- d-----w- C:\1f27ee4e5fd3dee36580a9851c3c6f7a
2011-10-22 08:42 . 2011-10-22 08:42 -------- d-----w- c:\documents and settings\Rick\Application Data\ElevatedDiagnostics
2011-10-21 21:41 . 2011-10-21 21:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData
2011-10-21 21:41 . 2011-10-21 21:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-10-21 21:41 . 2011-10-21 21:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-21 21:07 . 2011-10-21 21:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-10-21 21:06 . 2011-10-23 20:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-26 10:41 . 2011-09-26 10:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-23 19:46 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-23 19:39 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-23 13:22 . 2004-08-03 22:59 37760 ----a-w- c:\windows\system32\drivers\amdk7.sys
2011-10-23 13:14 . 2004-08-04 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-10-23 12:51 . 2004-08-04 12:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-26 10:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-23 07:30 . 2011-05-17 05:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2007-08-25 03:52 . 2008-06-17 06:57 300400 -c--a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 24576]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2001-12-20 28672]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\FRONTPG.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Microsoft Security Client\\msseces.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Documents and Settings\\Rick\\My Documents\\Downloaded Programmes\\MicrosoftFixit.WinSecurity.Run.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Rick\\Desktop\\virus removal\\321.com"=
.
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [19/02/2011 21:07 153408]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [19/02/2011 21:07 121552]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [19/04/2011 07:44 986808]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [19/04/2011 07:44 392640]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 09:30 15544]
S1 MpKsl0bafb622;MpKsl0bafb622;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FE5B9DF-B8B9-4A05-A2EB-F098A041A38C}\MpKsl0bafb622.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8FE5B9DF-B8B9-4A05-A2EB-F098A041A38C}\MpKsl0bafb622.sys [?]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [27/08/2009 10:42 238848]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [15/03/2005 20:10 24197]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2011-10-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2011-10-24 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
2011-10-23 c:\windows\Tasks\User_Feed_Synchronization-{A03EDEDB-B42A-4A2A-878A-882E468B7885}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\jede2t6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-24 09:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\program files\Creative\Splash Screen\CTEaxSpl.EXE /run???h???\????????\?w? ?w???????w???w4???????.??w4???????4????>?s4????????&3?????\??? ??? ???\???\???????????5?B~e?B~\???\?????????`??????C@?\???\???$??s????\??????s\????&3?5??s?&3??C@?x???`|?w\?????@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\drivers\tsk2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-606747145-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1935655697-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*J*P*G \OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\System32\PAStiSvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-10-24 09:41:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-24 08:41
ComboFix2.txt 2011-10-23 23:14
.
Pre-Run: 41,187,938,304 bytes free
Post-Run: 41,134,034,944 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
.
- - End Of File - - 3A47160FE70E3566D8B5DCBF949E6BED


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8010

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/10/2011 10:18:53
mbam-log-2011-10-24 (10-18-53).txt

Scan type: Quick scan
Objects scanned: 174098
Time elapsed: 17 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 riskb

riskb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 24 October 2011 - 06:59 AM

Everything seems to be working fine except that a microsoft update is popping up every few seconds. The update is Windows Malicious Software Removal Tool - October 2011 (KB890830) and I`ve installed it repeatedly but am still being told that it is a new update and requires installing. My Microsoft update history page shows the update as having been installed 7 times this morning.
Security Essentials has also cleaned 3 attacks by Win32/Patchload.O this morning.
Thanks, Rick.

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:06 AM

Posted 24 October 2011 - 06:32 PM

Lets go ahead and run TDSSKILLER again and get a new Gmer log.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 riskb

riskb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 25 October 2011 - 12:18 PM

Hi fireman4it, thank you for continuing to help me. Before I received your latest reply, I ran a full Microsoft Security Essentials scan that took 11 hours. It found and cleaned 5 items
Backdoor:Win32/Smadow.gen!B
Virus:Win32/Patchload.O
TrojanDropper:Win32/Sirefef.B
Virus:Win32/Patchload.O
Virus:Win32/Patchload.O

I then ran a full Malwarebytes Anti-Male scan that found nothing.

I`ve since followed your instructions and the logs are pasted below. The TDDSKiller found nothing.
Thanks, Rick.

09:12:32.0175 2100 TDSS rootkit removing tool 2.6.12.0 Oct 21 2011 11:23:48
09:12:32.0410 2100 ============================================================
09:12:32.0410 2100 Current date / time: 2011/10/25 09:12:32.0410
09:12:32.0410 2100 SystemInfo:
09:12:32.0410 2100
09:12:32.0410 2100 OS Version: 5.1.2600 ServicePack: 3.0
09:12:32.0410 2100 Product type: Workstation
09:12:32.0425 2100 ComputerName: HOME
09:12:32.0425 2100 UserName: Rick
09:12:32.0425 2100 Windows directory: C:\WINDOWS
09:12:32.0425 2100 System windows directory: C:\WINDOWS
09:12:32.0425 2100 Processor architecture: Intel x86
09:12:32.0425 2100 Number of processors: 1
09:12:32.0425 2100 Page size: 0x1000
09:12:32.0425 2100 Boot type: Normal boot
09:12:32.0425 2100 ============================================================
09:12:37.0925 2100 Initialize success
09:12:54.0441 2980 ============================================================
09:12:54.0441 2980 Scan started
09:12:54.0441 2980 Mode: Manual;
09:12:54.0441 2980 ============================================================
09:12:55.0535 2980 Abiosdsk - ok
09:12:55.0847 2980 abp480n5 - ok
09:12:56.0254 2980 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:12:56.0332 2980 ACPI - ok
09:12:56.0675 2980 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:12:56.0675 2980 ACPIEC - ok
09:12:56.0988 2980 adpu160m - ok
09:12:57.0347 2980 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:12:57.0394 2980 aec - ok
09:12:57.0769 2980 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:12:57.0816 2980 AFD - ok
09:12:58.0113 2980 Aha154x - ok
09:12:58.0425 2980 aic78u2 - ok
09:12:58.0722 2980 aic78xx - ok
09:12:59.0050 2980 AliIde - ok
09:12:59.0379 2980 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
09:12:59.0394 2980 AmdK7 - ok
09:12:59.0707 2980 amsint - ok
09:13:00.0019 2980 asc - ok
09:13:00.0316 2980 asc3350p - ok
09:13:00.0629 2980 asc3550 - ok
09:13:00.0972 2980 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
09:13:00.0988 2980 Aspi32 - ok
09:13:01.0347 2980 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:13:01.0347 2980 AsyncMac - ok
09:13:01.0707 2980 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
09:13:01.0707 2980 atapi - ok
09:13:02.0019 2980 Atdisk - ok
09:13:02.0394 2980 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:13:02.0425 2980 Atmarpc - ok
09:13:02.0769 2980 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:13:02.0769 2980 audstub - ok
09:13:03.0113 2980 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:13:03.0113 2980 Beep - ok
09:13:03.0535 2980 BELKIN (218cf47c3c6fd72be1eae51b426ca99d) C:\WINDOWS\system32\DRIVERS\BLKWGU.sys
09:13:03.0613 2980 BELKIN - ok
09:13:03.0675 2980 catchme - ok
09:13:04.0019 2980 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:13:04.0035 2980 cbidf2k - ok
09:13:04.0379 2980 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
09:13:04.0379 2980 CCDECODE - ok
09:13:04.0691 2980 cd20xrnt - ok
09:13:05.0035 2980 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:13:05.0035 2980 Cdaudio - ok
09:13:05.0394 2980 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:13:05.0410 2980 Cdfs - ok
09:13:05.0754 2980 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:13:05.0785 2980 Cdrom - ok
09:13:06.0082 2980 Changer - ok
09:13:06.0425 2980 CmdIde - ok
09:13:06.0769 2980 Cpqarray - ok
09:13:07.0160 2980 ctac32k (4b6096745f72b4fd36514617e2ea5d37) C:\WINDOWS\system32\drivers\ctac32k.sys
09:13:07.0222 2980 ctac32k - ok
09:13:07.0863 2980 ctaud2k (3576ec792347ed15699f6d830e0f5437) C:\WINDOWS\system32\drivers\ctaud2k.sys
09:13:08.0191 2980 ctaud2k - ok
09:13:08.0504 2980 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
09:13:08.0519 2980 ctljystk - ok
09:13:08.0832 2980 ctprxy2k (097d42574e3c6d98cd5a2ee7647fa6bf) C:\WINDOWS\system32\drivers\ctprxy2k.sys
09:13:08.0832 2980 ctprxy2k - ok
09:13:09.0254 2980 ctsfm2k (c58a2507ef62b20b9bd670c666088b50) C:\WINDOWS\system32\drivers\ctsfm2k.sys
09:13:09.0347 2980 ctsfm2k - ok
09:13:09.0644 2980 dac2w2k - ok
09:13:09.0941 2980 dac960nt - ok
09:13:10.0300 2980 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:13:10.0316 2980 Disk - ok
09:13:10.0925 2980 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:13:11.0254 2980 dmboot - ok
09:13:11.0660 2980 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:13:11.0707 2980 dmio - ok
09:13:12.0035 2980 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:13:12.0050 2980 dmload - ok
09:13:12.0410 2980 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:13:12.0425 2980 DMusic - ok
09:13:12.0769 2980 dpti2o - ok
09:13:13.0082 2980 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:13:13.0082 2980 drmkaud - ok
09:13:13.0472 2980 emupia (a9d94b89372f3f9609a1a5eec631a260) C:\WINDOWS\system32\drivers\emupia2k.sys
09:13:13.0519 2980 emupia - ok
09:13:13.0972 2980 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:13:14.0019 2980 Fastfat - ok
09:13:14.0457 2980 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
09:13:14.0488 2980 Fdc - ok
09:13:14.0832 2980 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:13:14.0863 2980 Fips - ok
09:13:15.0175 2980 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
09:13:15.0191 2980 Flpydisk - ok
09:13:15.0535 2980 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
09:13:15.0582 2980 FltMgr - ok
09:13:15.0957 2980 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:13:15.0957 2980 Fs_Rec - ok
09:13:16.0300 2980 FTD2XX (b907d2b20db2f6392995f5379e2a9666) C:\WINDOWS\system32\Drivers\FTD2XX.sys
09:13:16.0316 2980 FTD2XX - ok
09:13:16.0660 2980 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:13:16.0707 2980 Ftdisk - ok
09:13:17.0035 2980 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
09:13:17.0035 2980 gameenum - ok
09:13:17.0410 2980 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:13:17.0425 2980 Gpc - ok
09:13:18.0129 2980 ha10kx2k (dc9847cdc43665ed4cc780947516209c) C:\WINDOWS\system32\drivers\ha10kx2k.sys
09:13:18.0519 2980 ha10kx2k - ok
09:13:18.0863 2980 hpn - ok
09:13:19.0332 2980 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:13:19.0457 2980 HTTP - ok
09:13:19.0769 2980 i2omgmt - ok
09:13:20.0082 2980 i2omp - ok
09:13:20.0410 2980 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:13:20.0441 2980 i8042prt - ok
09:13:20.0800 2980 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:13:20.0816 2980 Imapi - ok
09:13:21.0144 2980 ini910u - ok
09:13:21.0472 2980 IntelIde - ok
09:13:22.0019 2980 Intels51 (eb6d8e9cd813596b6d59d878337a4998) C:\WINDOWS\system32\DRIVERS\Intels51.sys
09:13:22.0269 2980 Intels51 - ok
09:13:22.0613 2980 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
09:13:22.0644 2980 ip6fw - ok
09:13:22.0988 2980 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:13:22.0988 2980 IpFilterDriver - ok
09:13:23.0332 2980 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:13:23.0332 2980 IpInIp - ok
09:13:23.0691 2980 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:13:23.0754 2980 IpNat - ok
09:13:24.0097 2980 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:13:24.0129 2980 IPSec - ok
09:13:24.0472 2980 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:13:24.0472 2980 IRENUM - ok
09:13:24.0816 2980 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:13:24.0832 2980 isapnp - ok
09:13:25.0144 2980 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:13:25.0160 2980 Kbdclass - ok
09:13:25.0535 2980 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:13:25.0597 2980 kmixer - ok
09:13:26.0050 2980 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:13:26.0082 2980 KSecDD - ok
09:13:26.0425 2980 lbrtfdc - ok
09:13:26.0988 2980 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:13:26.0988 2980 mnmdd - ok
09:13:27.0363 2980 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:13:27.0379 2980 Modem - ok
09:13:27.0738 2980 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
09:13:27.0738 2980 MODEMCSA - ok
09:13:28.0082 2980 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:13:28.0082 2980 Mouclass - ok
09:13:28.0425 2980 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:13:28.0472 2980 MountMgr - ok
09:13:28.0941 2980 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
09:13:29.0004 2980 MpFilter - ok
09:13:29.0269 2980 MpKsl0bafb622 - ok
09:13:29.0488 2980 MpKsl8ea9de55 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64D32385-F55B-4417-BB5C-51990C04C3EE}\MpKsl8ea9de55.sys
09:13:29.0488 2980 MpKsl8ea9de55 - ok
09:13:29.0863 2980 mraid35x - ok
09:13:29.0879 2980 MRENDIS5 - ok
09:13:30.0379 2980 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:13:30.0472 2980 MRxDAV - ok
09:13:30.0847 2980 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:13:30.0847 2980 Msfs - ok
09:13:31.0191 2980 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:13:31.0191 2980 MSKSSRV - ok
09:13:31.0613 2980 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:13:31.0629 2980 MSPCLOCK - ok
09:13:32.0004 2980 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:13:32.0097 2980 MSPQM - ok
09:13:32.0425 2980 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:13:32.0425 2980 mssmbios - ok
09:13:32.0785 2980 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
09:13:32.0785 2980 MSTEE - ok
09:13:33.0379 2980 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:13:33.0488 2980 Mup - ok
09:13:34.0175 2980 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
09:13:34.0238 2980 NABTSFEC - ok
09:13:34.0738 2980 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:13:34.0816 2980 NDIS - ok
09:13:35.0175 2980 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
09:13:35.0175 2980 NdisIP - ok
09:13:35.0660 2980 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:13:35.0660 2980 NdisTapi - ok
09:13:36.0004 2980 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:13:36.0019 2980 Ndisuio - ok
09:13:36.0379 2980 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:13:36.0425 2980 NdisWan - ok
09:13:36.0769 2980 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:13:36.0785 2980 NDProxy - ok
09:13:37.0144 2980 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:13:37.0160 2980 NetBIOS - ok
09:13:37.0707 2980 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:13:37.0800 2980 NetBT - ok
09:13:38.0222 2980 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:13:38.0238 2980 Npfs - ok
09:13:38.0785 2980 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:13:39.0004 2980 Ntfs - ok
09:13:39.0394 2980 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:13:39.0410 2980 Null - ok
09:13:40.0441 2980 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
09:13:41.0129 2980 nv - ok
09:13:41.0472 2980 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:13:41.0472 2980 NwlnkFlt - ok
09:13:41.0832 2980 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:13:41.0832 2980 NwlnkFwd - ok
09:13:42.0238 2980 ossrv (f29184bdc81c398b6027a67ff6a19895) C:\WINDOWS\system32\drivers\ctoss2k.sys
09:13:42.0316 2980 ossrv - ok
09:13:42.0675 2980 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:13:42.0707 2980 Parport - ok
09:13:43.0035 2980 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:13:43.0050 2980 PartMgr - ok
09:13:43.0394 2980 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:13:43.0394 2980 ParVdm - ok
09:13:43.0754 2980 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:13:43.0785 2980 PCI - ok
09:13:44.0113 2980 PCIDump - ok
09:13:44.0441 2980 PCIIde - ok
09:13:44.0816 2980 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:13:44.0847 2980 Pcmcia - ok
09:13:45.0144 2980 PDCOMP - ok
09:13:45.0441 2980 PDFRAME - ok
09:13:45.0754 2980 PDRELI - ok
09:13:46.0066 2980 PDRFRAME - ok
09:13:46.0379 2980 perc2 - ok
09:13:46.0707 2980 perc2hib - ok
09:13:47.0050 2980 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\system32\PfModNT.sys
09:13:47.0113 2980 PfModNT - ok
09:13:47.0488 2980 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:13:47.0519 2980 PptpMiniport - ok
09:13:47.0879 2980 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:13:47.0894 2980 PSched - ok
09:13:48.0254 2980 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
09:13:48.0269 2980 PSI - ok
09:13:48.0597 2980 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:13:48.0597 2980 Ptilink - ok
09:13:48.0910 2980 ql1080 - ok
09:13:49.0207 2980 Ql10wnt - ok
09:13:49.0550 2980 ql12160 - ok
09:13:49.0863 2980 ql1240 - ok
09:13:50.0175 2980 ql1280 - ok
09:13:50.0504 2980 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:13:50.0504 2980 RasAcd - ok
09:13:50.0847 2980 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:13:50.0863 2980 Rasl2tp - ok
09:13:51.0191 2980 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:13:51.0207 2980 RasPppoe - ok
09:13:51.0519 2980 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:13:51.0519 2980 Raspti - ok
09:13:51.0910 2980 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:13:51.0972 2980 Rdbss - ok
09:13:52.0285 2980 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:13:52.0285 2980 RDPCDD - ok
09:13:52.0707 2980 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:13:52.0754 2980 RDPWD - ok
09:13:53.0066 2980 redbook - ok
09:13:53.0410 2980 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
09:13:53.0410 2980 ROOTMODEM - ok
09:13:53.0800 2980 rtl8139 (8be348f9aeeb4da0005b7f500f46f6ad) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
09:13:53.0816 2980 rtl8139 - ok
09:13:54.0207 2980 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:13:54.0222 2980 Secdrv - ok
09:13:54.0613 2980 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:13:54.0629 2980 serenum - ok
09:13:54.0957 2980 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:13:54.0988 2980 Serial - ok
09:13:55.0347 2980 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:13:55.0347 2980 Sfloppy - ok
09:13:55.0660 2980 Simbad - ok
09:13:55.0972 2980 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
09:13:55.0988 2980 SLIP - ok
09:13:56.0285 2980 Sparrow - ok
09:13:56.0691 2980 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:13:56.0691 2980 splitter - ok
09:13:57.0066 2980 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:13:57.0097 2980 sr - ok
09:13:57.0613 2980 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:13:57.0754 2980 Srv - ok
09:13:58.0144 2980 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
09:13:58.0160 2980 streamip - ok
09:13:58.0519 2980 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:13:58.0519 2980 swenum - ok
09:13:59.0097 2980 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:13:59.0144 2980 swmidi - ok
09:13:59.0675 2980 symc810 - ok
09:13:59.0988 2980 symc8xx - ok
09:14:00.0285 2980 sym_hi - ok
09:14:00.0582 2980 sym_u3 - ok
09:14:00.0957 2980 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:14:00.0972 2980 sysaudio - ok
09:14:01.0504 2980 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:14:01.0660 2980 Tcpip - ok
09:14:02.0019 2980 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:14:02.0019 2980 TDPIPE - ok
09:14:02.0394 2980 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:14:02.0394 2980 TDTCP - ok
09:14:02.0754 2980 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:14:02.0769 2980 TermDD - ok
09:14:03.0113 2980 TosIde - ok
09:14:03.0472 2980 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:14:03.0504 2980 Udfs - ok
09:14:03.0816 2980 ultra - ok
09:14:04.0285 2980 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:14:04.0441 2980 Update - ok
09:14:04.0879 2980 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:14:04.0894 2980 usbccgp - ok
09:14:05.0222 2980 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:14:05.0238 2980 usbehci - ok
09:14:05.0597 2980 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:14:05.0613 2980 usbhub - ok
09:14:05.0988 2980 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:14:05.0988 2980 usbprint - ok
09:14:06.0332 2980 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:14:06.0332 2980 usbscan - ok
09:14:06.0675 2980 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:14:06.0675 2980 USBSTOR - ok
09:14:07.0035 2980 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:14:07.0035 2980 usbuhci - ok
09:14:07.0425 2980 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
09:14:07.0472 2980 usbvideo - ok
09:14:07.0816 2980 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:14:07.0832 2980 VgaSave - ok
09:14:08.0144 2980 viaagp1 - ok
09:14:08.0472 2980 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
09:14:08.0472 2980 ViaIde - ok
09:14:08.0816 2980 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:14:08.0832 2980 VolSnap - ok
09:14:09.0175 2980 vulfnths (16409c468ceee99b6b129fcaa5c0f206) C:\WINDOWS\System32\Drivers\vulfnth.sys
09:14:09.0191 2980 vulfnths - ok
09:14:09.0519 2980 vulfntrs (e76fb35e30fb885124479a4a0aca3923) C:\WINDOWS\System32\Drivers\vulfntr.sys
09:14:09.0535 2980 vulfntrs - ok
09:14:09.0910 2980 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:14:09.0925 2980 Wanarp - ok
09:14:10.0222 2980 WDICA - ok
09:14:10.0582 2980 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:14:10.0613 2980 wdmaud - ok
09:14:10.0660 2980 WINIO - ok
09:14:11.0144 2980 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
09:14:11.0144 2980 WSTCODEC - ok
09:14:11.0519 2980 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
09:14:11.0550 2980 WudfPf - ok
09:14:11.0660 2980 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
09:14:11.0894 2980 \Device\Harddisk0\DR0 - ok
09:14:11.0925 2980 Boot (0x1200) (67a246577f716f55b55fca261f432905) \Device\Harddisk0\DR0\Partition0
09:14:11.0925 2980 \Device\Harddisk0\DR0\Partition0 - ok
09:14:11.0941 2980 ============================================================
09:14:11.0941 2980 Scan finished
09:14:11.0941 2980 ============================================================
09:14:11.0972 2936 Detected object count: 0
09:14:11.0972 2936 Actual detected object count: 0


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-25 17:03:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6Y120P0 rev.YAR41BW0
Running: 1ep4bzjb.exe; Driver: C:\DOCUME~1\Rick\LOCALS~1\Temp\pxtdipow.sys


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:06 AM

Posted 25 October 2011 - 08:01 PM

Hello,

Backdoor:Win32/Smadow.gen!B
Virus:Win32/Patchload.O
TrojanDropper:Win32/Sirefef.B
Virus:Win32/Patchload.O
Virus:Win32/Patchload.O


You are finding The combofix or TDSS quaratine files I would suspect.

Can you copy and paste the report from Microsoft Security Essentials. Then I would know for sure. I'm not seeing any signs of malware in any of the logs. Are you seeing any signs besides MSE saying that there are infections?


1.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\DRIVERS\redbook.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


2.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


3.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 riskb

riskb
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 26 October 2011 - 11:54 AM

Good morning again,
Scan results pasted below as requested and Combofix has been uninstalled. Security Essentials will not let me copy and paste from the history page so I`ve typed it out. The only unusual thing still happening is that the computer is telling me that it wants me to install the microsoft update for the malicious software removal tool even though I have installed it repeatedly. I`ve not installed it this time yet.

Virus:Win32/Patchload.O
Disinfected
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1236\A0171165.rbf

Virus:Win32/Patchload.O
Disinfected
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1233\A0170822.exe

TrojanDropper:Win32/Sirefef.B
Removed
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1241\A0173348.sys
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1246\A0173406.sys
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1246\A0173410.sys
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1246\A0173416.sys

Virus:Win32/Patchload.O
Disinfected
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1246\A0173414.exe

Backdoor:Win32/Smadow.gen!B
Removed
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1232\A0170606.ini
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1232\A0170706.ini
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1233\A0170726.ini
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1235\A0170899.ini
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1235\A0170912.ini
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1236\A0171287.ini
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1239\A0172026.ini
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1241\A0173352.ini
file:\System Volume Information\_restore{DE83407A-C836-4D2B-8971-497418DA60E4{\RP1246\A0173757.ini


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-26 11:29:57
-----------------------------
11:29:57.812 OS Version: Windows 5.1.2600 Service Pack 3
11:29:57.812 Number of processors: 1 586 0x801
11:29:57.812 ComputerName: HOME UserName: Rick
11:30:02.718 Initialize success
11:37:18.140 AVAST engine defs: 11102600
11:41:13.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
11:41:13.546 Disk 0 Vendor: Maxtor_6Y120P0 YAR41BW0 Size: 117246MB BusType: 3
11:41:13.546 Disk 0 MBR read successfully
11:41:13.546 Disk 0 MBR scan
11:41:13.625 Disk 0 Windows XP default MBR code
11:41:13.640 Disk 0 scanning sectors +240107490
11:41:13.750 Disk 0 scanning C:\WINDOWS\system32\drivers
11:41:52.750 Service scanning
11:41:55.812 Service MpKslb90c5579 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C093D205-B1B1-419D-BF94-F0733959DE2E}\MpKslb90c5579.sys **LOCKED** 32
11:41:56.453 Modules scanning
11:42:13.937 Disk 0 trace - called modules:
11:42:13.953 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys
11:42:13.953 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fa1ab8]
11:42:14.484 3 CLASSPNP.SYS[f752ffd7] -> nt!IofCallDriver -> \Device\0000005b[0x86f64f18]
11:42:14.484 5 ACPI.sys[f74a6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86f6ed98]
11:42:17.812 AVAST engine scan C:\WINDOWS
11:43:07.515 AVAST engine scan C:\WINDOWS\system32
11:52:03.968 AVAST engine scan C:\WINDOWS\system32\drivers
11:53:07.125 AVAST engine scan C:\Documents and Settings\Rick
15:46:08.468 AVAST engine scan C:\Documents and Settings\All Users
16:10:20.656 Scan finished successfully
17:46:41.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Rick\Desktop\MBR.dat"
17:46:41.781 The log file has been saved successfully to "C:\Documents and Settings\Rick\Desktop\aswMBR.txt"


Filename: redbook.sys
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 26 Oct 2011 12:03:19 (CET) Permalink


2011-10-26 Found nothing 2011-10-25 Found nothing
2011-10-26 Found nothing 2011-10-26 Found nothing
2011-10-25 Found nothing 2011-10-26 Found nothing
2011-10-26 Found nothing 2011-10-26 Found nothing
2011-10-26 Found nothing 2011-10-26 Found nothing
2011-10-26 Found nothing 2011-10-25 Found nothing
2011-10-26 Found nothing 2011-10-26 Found nothing
2011-10-26 Found nothing 2011-10-26 Found nothing
2011-10-26 Found nothing 2011-10-24 Found nothing
2011-10-26 Found nothing 2011-10-25 Found nothing




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users