Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS and Google keeps redirecting


  • This topic is locked This topic is locked
52 replies to this topic

#1 ana_z

ana_z

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 27 December 2011 - 01:24 AM

I am running a Windows Xp system and became infected with the Google redirect first and then System Fix. I would get advertisements running (sound) even when Internet Explorer was not running. I believe I got infected when I was searching for radio stations.

I have performed the System Fix removal using the remove-system-fix here on bleepingcomputer. Then after reboot the redirect still occured within Google. I ran the TDSSkiller twice, but now I cannot run it, even after renaming as suggested. I went through the entire process again to ensure that I had not missed anything. The redirect and sound from the advertisements still occur.

I have provided the files DDS.TXT, ATTACH.ZIP and ARK.TXT as suggested in topic34773.html after following those instructions.

Thanks very much for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:50 PM

Posted 31 December 2011 - 04:09 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the RKU log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 ana_z

ana_z
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 31 December 2011 - 08:11 PM

Thanks very much for your reply Shannon. I understand how busy it must be.
I have run the three tools and have provided them as follows.

many thanks for your help!



OTL logfile created on: 31/12/2011 17:42:59 - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Our Home Account\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1014.07 Mb Total Physical Memory | 359.23 Mb Available Physical Memory | 35.42% Memory free
2.40 Gb Paging File | 1.80 Gb Available in Paging File | 75.22% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.33 Gb Total Space | 14.14 Gb Free Space | 9.80% Space Free | Partition Type: NTFS

Computer Name: D481R191 | User Name: Our Home Account | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/31 15:25:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Our Home Account\Desktop\OTL.exe
PRC - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/12/24 17:50:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/10/13 23:01:50 | 000,994,360 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2011/10/13 23:01:48 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2011/10/13 23:01:46 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2011/09/24 00:19:54 | 000,892,928 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ReaderDesktop\appHelper\ReaderAppHelper.exe
PRC - [2011/02/10 07:00:24 | 000,116,752 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
PRC - [2011/01/30 16:00:37 | 000,016,824 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
PRC - [2010/07/13 00:34:46 | 000,906,648 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
PRC - [2009/07/30 15:05:58 | 000,497,000 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/08 22:07:56 | 000,107,912 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/15 11:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\bgsvcgen.exe
PRC - [2005/04/27 13:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/09/24 00:20:46 | 000,884,736 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\fsk.dll
MOD - [2011/09/24 00:19:54 | 000,143,360 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\readerAppHelper.dll
MOD - [2011/09/24 00:19:04 | 000,172,032 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\USBDetector.dll
MOD - [2011/09/24 00:18:22 | 000,018,432 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\FskNetInterface.dll
MOD - [2011/09/24 00:18:20 | 000,009,728 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\FskPower.dll
MOD - [2011/09/24 00:18:18 | 000,020,480 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\FskinLocalize.dll
MOD - [2011/09/24 00:18:18 | 000,008,704 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\FskTimeHardware.dll
MOD - [2011/09/24 00:18:16 | 000,028,160 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\ticket.dll
MOD - [2011/09/24 00:18:14 | 000,012,288 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\ebookDeviceNotifier.dll
MOD - [2011/09/24 00:16:56 | 000,118,784 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\FskDocumentViewer.dll
MOD - [2011/09/24 00:16:52 | 000,010,752 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\FskMobileMediaDevice.dll
MOD - [2011/09/24 00:16:50 | 000,233,472 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\Fskin.dll
MOD - [2011/09/24 00:16:22 | 000,033,792 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\FskMediaPlayers.dll
MOD - [2011/09/23 16:36:06 | 000,798,720 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\FskSecurity.dll
MOD - [2011/09/23 13:44:56 | 000,086,016 | ---- | M] () -- C:\Program Files\Sony\ReaderDesktop\appHelper\ebookUsb.dll
MOD - [2011/02/04 17:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2010/09/22 20:12:20 | 000,016,832 | ---- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll
MOD - [2010/07/13 00:29:42 | 000,143,360 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\launcher\connectionDetector.dll
MOD - [2010/07/13 00:28:42 | 000,856,064 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\launcher\fsk.dll
MOD - [2010/07/13 00:26:12 | 000,018,432 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\launcher\FskNetInterface.dll
MOD - [2010/07/13 00:25:56 | 000,008,704 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\launcher\FskTimeHardware.dll
MOD - [2010/07/13 00:25:50 | 000,028,160 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\launcher\ticket.dll
MOD - [2010/07/13 00:25:42 | 000,011,776 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\launcher\ebookDeviceNotifier.dll
MOD - [2010/07/13 00:22:36 | 000,020,480 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\FskinLocalize.dll
MOD - [2010/07/13 00:22:02 | 000,009,728 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\FskPower.dll
MOD - [2010/07/13 00:16:16 | 000,118,784 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\FskDocumentViewer.dll
MOD - [2010/07/13 00:15:58 | 000,010,240 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\FskMobileMediaDevice.dll
MOD - [2010/07/13 00:15:52 | 000,233,472 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\Fskin.dll
MOD - [2010/07/13 00:13:42 | 000,033,792 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\FskMediaPlayers.dll
MOD - [2010/07/13 00:10:56 | 000,172,032 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\launcher\USBDetector.dll
MOD - [2010/04/02 20:23:36 | 000,815,104 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\FskSecurity.dll
MOD - [2010/04/02 19:44:16 | 000,086,016 | ---- | M] () -- C:\Program Files\Sony\Reader\Data\bin\launcher\ebookUsb.dll
MOD - [2010/02/05 11:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2009/02/27 12:52:56 | 000,258,048 | ---- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll
MOD - [2008/10/08 22:07:56 | 000,107,912 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
MOD - [2008/04/13 17:12:03 | 000,562,176 | ---- | M] () -- C:\WINDOWS\system32\qedit.dll
MOD - [2008/04/13 17:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 17:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2007/11/16 15:02:18 | 000,479,232 | R--- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\ccme_base.dll
MOD - [2007/11/16 15:02:18 | 000,401,408 | R--- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\cryptocme2.dll
MOD - [2002/07/04 08:38:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ArcSoft\Software Suite\PhotoImpression\Share\PIHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/10/13 23:01:50 | 000,994,360 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011/10/13 23:01:48 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2011/02/16 14:26:04 | 000,188,272 | ---- | M] (Trend Micro Inc.) [Auto | Stopped] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe -- (Amsp)
SRV - [2010/04/02 20:34:12 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe -- (Sony SCSI Helper Service)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/08 22:07:56 | 000,107,912 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2007/06/15 11:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) [Auto | Running] -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2005/12/20 15:22:41 | 000,069,632 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2005/04/27 13:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)


========== Driver Services (SafeList) ==========

DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/04/10 21:12:44 | 000,341,072 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TM_CFW.sys -- (tmcfw)
DRV - [2011/04/10 21:12:44 | 000,189,520 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2011/04/10 21:12:44 | 000,092,112 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2011/04/10 21:12:44 | 000,080,464 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon)
DRV - [2011/04/10 21:12:44 | 000,064,080 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr)
DRV - [2010/09/01 01:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2006/03/07 08:43:40 | 000,111,872 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr97310v.sys -- (MR97310_VGA_DUAL_CAMERA)
DRV - [2006/01/10 11:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/06/06 20:40:48 | 000,180,736 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM)
DRV - [2005/05/25 21:34:00 | 000,158,464 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTUSFSYN.SYS -- (CTUSFSYN)
DRV - [2005/03/25 15:11:00 | 001,350,272 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sigfilt.sys -- (sigfilt)
DRV - [2005/02/23 13:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005/01/10 23:15:00 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTSFM2K.SYS -- (ctsfm2k)
DRV - [2005/01/10 23:15:00 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CTOSS2K.SYS -- (ossrv)
DRV - [2004/12/23 00:58:00 | 000,008,704 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT)
DRV - [2004/10/07 18:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2003/09/20 07:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/05/22 12:42:42 | 000,015,326 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ww.google.ca/
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 70 6D 40 43 DF B3 CC 01 [binary data]
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\..\URLSearchHook: {ffb11c0c-da90-4969-a995-8dca2e0fc10a} - C:\Program Files\CyberDefender-TB\prxtbCybe.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/Photosynth,version=2.0: C:\Program Files\Photosynth\npPhotosynthMozilla.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@sony.com/eBookLibrary: C:\Program Files\Sony\Reader\Data\bin\npebldetectmoz.dll (Sony Corporation)
FF - HKLM\Software\MozillaPlugins\@sony.com/ReaderDesktop: C:\Program Files\Sony\ReaderDesktop\npreaderdetectmoz.dll (Sony Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22181a4d-af90-4ca3-a569-faed9118d6bc}: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2011/04/10 21:29:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/06/06 22:11:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1504\6.6.1088\firefoxextension\ [2011/12/26 12:49:08 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Java™ Platform SE 6 U12 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
CHR - plugin: Java™ Platform SE 6 U19 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: RealNetworks™ RealPlayer Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: RealPlayer™ HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = c:\program files\real\realplayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprpjplug.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: (Enabled) = C:\Program Files\Photosynth\npPhotosynthMozilla.dll
CHR - plugin: Reader Application Detector (Enabled) = C:\Program Files\Sony\ReaderDesktop\npreaderdetectmoz.dll
CHR - plugin: Reader Library (Enabled) = C:\Program Files\Sony\Reader\Data\bin\npebldetectmoz.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: Yahoo! activeX Plug-in Bridge (Enabled) = C:\Program Files\Yahoo!\Common\npyaxmpb.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprjplug.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: No name found = C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.4_0\

O1 HOSTS File: ([2011/11/06 19:01:26 | 000,000,021 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll (Trend Micro Inc.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (CyberDefender-TB Toolbar) - {ffb11c0c-da90-4969-a995-8dca2e0fc10a} - C:\Program Files\CyberDefender-TB\prxtbCybe.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (CyberDefender-TB Toolbar) - {ffb11c0c-da90-4969-a995-8dca2e0fc10a} - C:\Program Files\CyberDefender-TB\prxtbCybe.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\..\Toolbar\WebBrowser: (no name) - {DAB35D68-1CDC-4375-8333-D7BBCEE3C0A0} - No CLSID value found.
O3 - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\..\Toolbar\WebBrowser: (CyberDefender-TB Toolbar) - {FFB11C0C-DA90-4969-A995-8DCA2E0FC10A} - C:\Program Files\CyberDefender-TB\prxtbCybe.dll (Conduit Ltd.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ContentTransferWMDetector.exe] C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (Sony Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Reader Application Helper] C:\Program Files\Sony\ReaderDesktop\appHelper\ReaderAppHelper.exe (Sony Corporation)
O4 - HKLM..\Run: [Reader Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe (Sony Corporation)
O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [YCentral] C:\Program Files\Yahoo!\YCentral\YahooCentral.exe (Yahoo! Inc.)
O4 - HKU\.DEFAULT..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter File not found
O4 - HKU\S-1-5-18..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKU\S-1-5-21-2984770657-741461230-1056844531-1008\..Trusted Domains: drivercheck.ca ([emanda] https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.geni.com/ImageUploader_5_5.cab (Image Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239658773393 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://cbc.webex.com/client/T27LB/webex/ieatgpc.cab (GpcContainer Class)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmtbim {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\TPSvc: DllName - (TPSvc.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {03A80B1D-5C6A-42c2-9DFB-81B6005D8023} - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 03:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/31 15:25:45 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Our Home Account\Desktop\OTL.exe
[2011/12/29 06:15:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/12/27 14:24:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Secunia PSI
[2011/12/26 21:52:52 | 000,607,260 | R--- | C] (Swearware) -- C:\dds.scr
[2011/12/26 21:25:20 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2011/12/26 21:23:53 | 001,754,456 | ---- | C] (Secunia) -- C:\PSISetup.exe
[2011/12/26 20:26:05 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\iexplore.com.exe
[2011/12/26 16:18:38 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Our Home Account\Desktop\tdsskiller.exe
[2011/12/26 10:41:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Our Home Account\Application Data\Malwarebytes
[2011/12/26 10:35:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/26 10:35:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/12/26 10:35:25 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/26 10:35:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/26 10:35:06 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Our Home Account\Desktop\mbam-setup-1.51.2.1300.exe
[2011/12/26 10:13:57 | 000,096,200 | ---- | C] (CyberDefender Corp.) -- C:\WINDOWS\System32\drivers\CDAVFS.sys
[2011/12/26 10:13:57 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2011/12/26 10:13:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Our Home Account\Local Settings\Application Data\CyberDefender-TB
[2011/12/26 10:13:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Our Home Account\Local Settings\Application Data\Conduit
[2011/12/26 10:13:52 | 000,000,000 | ---D | C] -- C:\Program Files\CyberDefender-TB
[2011/12/26 10:11:24 | 000,103,752 | ---- | C] (CyberDefender Corp.) -- C:\Documents and Settings\Our Home Account\Desktop\InstallCyberDefenderEDC-051929.exe
[2011/12/26 09:35:04 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Our Home Account\Recent
[2011/12/26 09:21:11 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/12/08 20:45:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Our Home Account\Start Menu\Programs\Google Chrome
[2011/12/06 11:34:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/12/06 11:33:40 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2006/01/07 20:15:27 | 011,817,800 | ---- | C] (InstallShield Software Corporation) -- C:\Program Files\GoogleEarth.exe
[2006/01/07 20:11:35 | 001,951,432 | ---- | C] (Microsoft Corporation) -- C:\Program Files\ppviewer.exe
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\Documents and Settings\Our Home Account\My Documents\*.tmp files -> C:\Documents and Settings\Our Home Account\My Documents\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/31 17:53:01 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/12/31 17:50:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/31 17:49:03 | 000,001,022 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2984770657-741461230-1056844531-1008UA.job
[2011/12/31 17:37:05 | 000,130,604 | ---- | M] () -- C:\Documents and Settings\Our Home Account\Desktop\RKUnhookerLE.zip
[2011/12/31 17:15:10 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2984770657-741461230-1056844531-1008.job
[2011/12/31 17:15:06 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2984770657-741461230-1056844531-1008.job
[2011/12/31 17:15:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/31 17:15:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/31 17:14:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/31 17:14:17 | 1063,407,616 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/31 15:25:46 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Our Home Account\Desktop\OTL.exe
[2011/12/31 12:33:10 | 000,000,832 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/30 20:49:01 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2984770657-741461230-1056844531-1008Core.job
[2011/12/30 19:00:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack Dell hard driver.job
[2011/12/29 18:00:00 | 000,000,480 | ---- | M] () -- C:\WINDOWS\tasks\SyncBackSE hort file backup.job
[2011/12/28 16:22:22 | 182,862,848 | ---- | M] () -- C:\Documents and Settings\Our Home Account\My Documents\dec 2011 outlook archive folder.pst
[2011/12/28 15:43:05 | 174,736,384 | ---- | M] () -- C:\Documents and Settings\Our Home Account\My Documents\dec 2011 outlook personal folder.pst
[2011/12/28 14:49:44 | 000,042,816 | ---- | M] () -- C:\Documents and Settings\Our Home Account\My Documents\saved bob outllook.CSV
[2011/12/28 14:49:13 | 000,009,387 | ---- | M] () -- C:\Documents and Settings\Our Home Account\Application Data\Comma Separated Values (DOS).EML
[2011/12/26 22:36:03 | 000,004,741 | ---- | M] () -- C:\attach.zip
[2011/12/26 22:06:23 | 000,302,592 | ---- | M] () -- C:\ps8gvp32.exe
[2011/12/26 21:52:55 | 000,607,260 | R--- | M] (Swearware) -- C:\dds.scr
[2011/12/26 21:51:15 | 000,050,477 | ---- | M] () -- C:\Defogger.exe
[2011/12/26 21:25:27 | 000,000,801 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011/12/26 21:24:01 | 001,754,456 | ---- | M] (Secunia) -- C:\PSISetup.exe
[2011/12/26 20:36:29 | 000,011,755 | ---- | M] () -- C:\media.mp3
[2011/12/26 20:26:14 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\iexplore.com.exe
[2011/12/26 16:18:12 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Our Home Account\Desktop\tdsskiller.exe
[2011/12/26 16:08:08 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/12/26 10:45:53 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/26 10:35:06 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Our Home Account\Desktop\mbam-setup-1.51.2.1300.exe
[2011/12/26 10:12:42 | 000,096,200 | ---- | M] (CyberDefender Corp.) -- C:\WINDOWS\System32\drivers\CDAVFS.sys
[2011/12/26 10:11:24 | 000,103,752 | ---- | M] (CyberDefender Corp.) -- C:\Documents and Settings\Our Home Account\Desktop\InstallCyberDefenderEDC-051929.exe
[2011/12/26 09:52:50 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\Our Home Account\Desktop\unhide.exe
[2011/12/26 09:32:11 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Our Home Account\My Documents\WiNlOgOn.exe
[2011/12/26 09:27:42 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Our Home Account\My Documents\iExplore.exe
[2011/12/23 21:12:26 | 000,000,432 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Gm68RYDRrfZf88
[2011/12/23 21:06:24 | 000,000,320 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~Gm68RYDRrfZf88
[2011/12/23 21:06:24 | 000,000,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~Gm68RYDRrfZf88r
[2011/12/23 21:06:20 | 000,000,897 | ---- | M] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
[2011/12/22 20:59:15 | 000,001,215 | ---- | M] () -- C:\Documents and Settings\Our Home Account\Desktop\SIRIUS Player - 100% Commercial-free Music.url
[2011/12/21 09:39:23 | 000,001,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/12/20 13:07:14 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/12/19 10:18:02 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\{95E0259B-9203-425E-8292-C7CD2DFAE5D8}_D481R191_Our Home Account.job
[2011/12/16 20:50:31 | 000,002,413 | ---- | M] () -- C:\Documents and Settings\Our Home Account\Desktop\Google Chrome.lnk
[2011/12/16 20:50:31 | 000,002,391 | ---- | M] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/12/16 09:25:30 | 000,967,488 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/16 09:20:55 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/12/14 08:15:05 | 000,000,840 | ---- | M] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/12/14 08:14:51 | 000,475,186 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/14 08:14:50 | 000,084,382 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/06 11:34:03 | 000,001,652 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/12/03 13:21:22 | 000,070,656 | ---- | M] () -- C:\Documents and Settings\Our Home Account\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\Documents and Settings\Our Home Account\My Documents\*.tmp files -> C:\Documents and Settings\Our Home Account\My Documents\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/31 17:37:05 | 000,130,604 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Desktop\RKUnhookerLE.zip
[2011/12/31 12:33:10 | 000,000,832 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/28 16:17:26 | 182,862,848 | ---- | C] () -- C:\Documents and Settings\Our Home Account\My Documents\dec 2011 outlook archive folder.pst
[2011/12/28 15:37:54 | 174,736,384 | ---- | C] () -- C:\Documents and Settings\Our Home Account\My Documents\dec 2011 outlook personal folder.pst
[2011/12/28 14:49:29 | 000,042,816 | ---- | C] () -- C:\Documents and Settings\Our Home Account\My Documents\saved bob outllook.CSV
[2011/12/28 14:48:58 | 000,009,387 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Comma Separated Values (DOS).EML
[2011/12/28 12:20:51 | 000,000,300 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2984770657-741461230-1056844531-1008.job
[2011/12/27 13:45:48 | 1063,407,616 | -HS- | C] () -- C:\hiberfil.sys
[2011/12/26 22:36:03 | 000,004,741 | ---- | C] () -- C:\attach.zip
[2011/12/26 22:06:20 | 000,302,592 | ---- | C] () -- C:\ps8gvp32.exe
[2011/12/26 21:51:15 | 000,050,477 | ---- | C] () -- C:\Defogger.exe
[2011/12/26 21:25:27 | 000,000,801 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2011/12/26 21:25:27 | 000,000,764 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Secunia PSI.lnk
[2011/12/26 20:36:29 | 000,011,755 | ---- | C] () -- C:\media.mp3
[2011/12/26 10:04:17 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/12/26 10:04:17 | 000,001,838 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Reader for PC.lnk
[2011/12/26 10:04:17 | 000,001,652 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/12/26 10:04:17 | 000,001,652 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\My Printer.lnk
[2011/12/26 10:04:17 | 000,000,921 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Shutterfly Express Uploader.lnk
[2011/12/26 10:04:16 | 000,001,963 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/12/26 10:04:16 | 000,001,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/12/26 10:04:16 | 000,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Canon MP Navigator EX 2.1.lnk
[2011/12/26 10:04:16 | 000,000,772 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Content Transfer.lnk
[2011/12/26 10:04:13 | 000,002,391 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/12/26 10:04:13 | 000,001,853 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\musicmatch JUKEBOX.lnk
[2011/12/26 10:04:13 | 000,001,837 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Digital Editions.lnk
[2011/12/26 10:04:13 | 000,001,478 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Media Center.lnk
[2011/12/26 10:04:13 | 000,000,897 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
[2011/12/26 10:04:13 | 000,000,863 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/12/26 10:04:13 | 000,000,840 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/12/26 10:04:13 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/12/26 10:04:13 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Neat Image.lnk
[2011/12/26 10:04:13 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/12/26 10:03:59 | 000,002,431 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft MapPoint North America 2006.lnk
[2011/12/26 10:03:59 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/12/26 10:03:59 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2011/12/26 09:52:48 | 000,684,297 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Desktop\unhide.exe
[2011/12/26 09:32:06 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Our Home Account\My Documents\WiNlOgOn.exe
[2011/12/26 09:27:40 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Our Home Account\My Documents\iExplore.exe
[2011/12/23 21:06:24 | 000,000,224 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~Gm68RYDRrfZf88r
[2011/12/23 21:06:23 | 000,000,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~Gm68RYDRrfZf88
[2011/12/23 21:06:11 | 000,000,432 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Gm68RYDRrfZf88
[2011/12/08 20:46:15 | 000,002,413 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Desktop\Google Chrome.lnk
[2011/12/08 20:44:22 | 000,001,022 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2984770657-741461230-1056844531-1008UA.job
[2011/12/08 20:44:21 | 000,000,970 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2984770657-741461230-1056844531-1008Core.job
[2011/10/18 17:23:54 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/19 21:01:46 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Local Settings\Application Data\housecall.guid.cache
[2011/01/29 23:06:32 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/09/16 23:40:46 | 000,119,308 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/09/06 20:12:21 | 000,001,146 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_DU.dat
[2010/09/06 20:12:21 | 000,001,136 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2010/09/06 20:12:21 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2010/09/06 20:12:21 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2010/09/06 20:12:21 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_IT.dat
[2010/09/06 20:12:21 | 000,001,107 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_GE.dat
[2010/09/06 20:12:21 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2010/09/06 20:12:20 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2010/09/06 20:12:20 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2010/09/06 20:12:20 | 000,024,903 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2010/09/06 20:12:20 | 000,021,390 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2010/09/06 20:12:20 | 000,020,148 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2010/09/06 20:12:20 | 000,011,811 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2010/09/06 20:12:20 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2010/09/06 20:12:20 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2010/09/06 20:12:20 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2010/03/18 22:36:25 | 000,002,994 | ---- | C] () -- C:\WINDOWS\System32\xscan32.dat
[2009/09/28 20:01:03 | 000,038,491 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft Excel.ADR
[2009/01/02 17:07:29 | 001,860,617 | ---- | C] () -- C:\Program Files\SyncBack_Setup.zip
[2008/08/31 16:25:42 | 000,013,005 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Microsoft Access.CAL
[2008/05/17 12:18:46 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\default_user_class.dat
[2008/02/18 14:09:38 | 000,038,493 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\Comma Separated Values (Windows).ADR
[2007/11/16 09:54:13 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/12 07:00:59 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/08/09 13:59:54 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\myodbc3i.exe
[2007/08/09 13:59:54 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\myodbc3m.exe
[2007/04/09 17:17:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2007/03/17 14:37:26 | 000,000,026 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2007/01/04 22:24:42 | 000,000,139 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2007/01/04 22:24:41 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2006/12/10 20:29:50 | 000,000,870 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/12/01 18:55:38 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Application Data\dm.ini
[2006/09/21 16:28:27 | 000,000,282 | ---- | C] () -- C:\WINDOWS\EReg077.dat
[2006/09/21 16:20:35 | 000,000,141 | ---- | C] () -- C:\WINDOWS\asym.ini
[2006/09/21 16:20:35 | 000,000,049 | ---- | C] () -- C:\WINDOWS\mtb30.ini
[2006/04/14 16:54:24 | 000,111,932 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2006/04/14 16:54:24 | 000,026,154 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2006/04/14 16:54:24 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006/04/04 20:22:45 | 000,002,154 | ---- | C] () -- C:\WINDOWS\System32\tmmute.ini
[2006/04/04 08:18:53 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS6h.DLL
[2006/04/03 17:31:50 | 000,000,398 | ---- | C] () -- C:\WINDOWS\System32\CNCMP60.INI
[2006/01/16 07:51:04 | 000,070,656 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/09 23:03:25 | 000,007,812 | ---- | C] () -- C:\WINDOWS\System32\visorusb.dll
[2006/01/04 21:07:36 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2006/01/01 21:00:57 | 000,000,072 | ---- | C] () -- C:\WINDOWS\sbwin.ini
[2006/01/01 20:59:58 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Our Home Account\Local Settings\Application Data\fusioncache.dat
[2005/12/31 15:18:48 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2005/12/20 15:37:36 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/12/20 15:32:03 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2005/12/20 15:30:19 | 000,000,362 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/12/20 15:28:07 | 000,000,938 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/20 15:25:18 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/12/20 15:23:15 | 000,005,811 | R--- | C] () -- C:\WINDOWS\System32\CTSBMB.INI
[2005/12/20 14:55:44 | 000,004,969 | ---- | C] () -- C:\WINDOWS\System32\Sigfilt.ini
[2005/12/20 14:55:44 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2005/12/20 14:54:08 | 001,345,520 | ---- | C] () -- C:\WINDOWS\System32\CTMBHA.DLL
[2005/12/20 14:54:06 | 000,102,400 | ---- | C] () -- C:\WINDOWS\SETLANG.EXE
[2005/12/20 14:53:48 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2005/12/20 14:52:46 | 000,000,493 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/16 03:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/16 03:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/16 03:33:38 | 000,004,328 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/16 03:27:59 | 000,967,488 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/16 03:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/16 03:18:33 | 000,475,186 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/16 03:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/16 03:18:33 | 000,084,382 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/16 03:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/16 03:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/16 03:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/16 03:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/16 03:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/16 03:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/16 03:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/16 03:18:08 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/05 13:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/05/04 19:58:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/10/12 09:58:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\mr310exd.dll
[2001/10/12 09:57:18 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\mr310exv.dll
[2000/12/07 09:13:58 | 000,015,164 | ---- | C] () -- C:\WINDOWS\Mr310twv.ini

< End of report >
------------





OTL Extras logfile created on: 31/12/2011 17:42:59 - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Our Home Account\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1014.07 Mb Total Physical Memory | 359.23 Mb Available Physical Memory | 35.42% Memory free
2.40 Gb Paging File | 1.80 Gb Available in Paging File | 75.22% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.33 Gb Total Space | 14.14 Gb Free Space | 9.80% Space Free | Partition Type: NTFS

Computer Name: D481R191 | User Name: Our Home Account | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1434:UDP" = 1434:UDP:*:Disabled:DPANSQL

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Dell Support\DSAgnt.exe" = C:\Program Files\Dell Support\DSAgnt.exe:*:Enabled:Dell Support -- (Gteko Ltd.)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX320_series" = Canon MX320 series MP Drivers
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18A5DFF2-8A95-49F3-873F-743CB5549F3D}" = Canon ScanGear Starter
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 19
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2CDCCE7E-55D5-40CC-AEA0-ABA54713501F}" = LUMIX Simple Viewer
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150080}" = J2SE Runtime Environment 5.0 Update 8
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{350FB27C-CF62-4EF3-AF9D-70FF313FE221}" = iTunes
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3FF3DD04-F386-46B0-97FC-B86238B65487}" = Canon MP Drivers 6.0
"{44E75850-B838-43D2-8F37-84D3FB71FF6E}" = VGA Dual-Mode Camera
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{52D56C42-8C69-4882-A661-39695537C9CF}" = DellConnect
"{5335DADB-34BA-4AE8-A519-648D78498846}" = Skype™ 5.3
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{55B30AF2-7331-4436-9318-D9EA45A42F79}" = The Print Shop 21
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7A35F91E-1D16-454F-A248-B9B782A2327C}" = Dell Support 3.2.1
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{83ED1E80-A1B7-4246-BCF1-AC4A88151A6B}" = Microsoft MapPoint North America 2006
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections
"{8495271C-707A-4AD8-9DC0-35762834A379}" = Corel Photo Album Additional Content
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{8653730A-683D-4C42-BB18-6471291D5DEA}" = Canon MP Navigator 1.1
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89CED13D-A883-473D-B498-C5A4833A5567}" = ArcSoft Slide Show Maker
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{8D2AE3F6-79DF-423C-91CB-389F6FB5837B}" = Andrea VoiceCenter
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{959282E3-55A9-49D8-B885-D27CF8A2FD82}" = PHOTOfunSTUDIO 5.1 HD Edition
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A9DBEBC-C800-4776-A970-D76D6AA405B1}" = PHOTOfunSTUDIO -viewer-
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9E397B40-13F7-4CA2-9943-ADB29ACBBFDF}" = ArcSoft Software Suite
"{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}" = PRS-500 USB driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{ABBD4BA8-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro Titanium Maximum Security
"{ABBD4BA9-6703-40D2-AB1E-5BB1F7DB49A4}" = Trend Micro™ Titanium™ Maximum Security
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.7
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars
"{B70E5793-F912-4C62-AFE2-C4F0B078FD31}" = Reader Library by Sony
"{BA0F44C2-A883-11D1-AD0A-006097D15E2C}" = Palm Desktop and Synchronization Software
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C39DE425-6CCF-4B12-A101-3CB5CF3AF3AD}" = Slideshow Generator Powertoy for Windows XP
"{C3B2579A-61EB-46ed-B9E6-1195A2565CC8}" = MSDE for AdminDB
"{C8192B14-5B56-2E27-6652-8AA650091D6E}" = Shutterfly Express Uploader
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF5B430D-C563-4EE6-803D-A8A133DFCE5E}" = Reader for PC
"{CFADE4AF-C0CF-4A04-A776-741318F1658F}" = Content Transfer
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D95ED581-3C67-4BB4-AA50-DDCC6A97226D}" = ArcSoft PhotoStudio 5.5
"{DA83FEB1-B397-461D-B120-7B996E83ADEE}" = Simply Accounting by Sage 2008
"{E33956B7-301C-429D-9E6C-2C12EACB8A62}" = NWZ-E340 WALKMAN Guide
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E7559288-223B-453C-9F06-340E3BE21E39}" = MyWay Search Assistant
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{F929096B-54A0-4C5C-B125-1E7EB1917412}" = MySQL Connector/ODBC 3.51
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"{FCFE894A-36B3-4A61-A04A-D99519C54DB6}" = Photosynth 2.0110.0317.1042
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"75070B1806113224B16C70296B90DD1AD8A53479" = Windows Driver Package - Sony Corporation (PRSUSB) USB (08/08/2006 1.0.03.08080)
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AdobeESD" = Adobe Download Manager 2.2 (Remove Only)
"Attachment Decoder" = Attachment Decoder
"CANONIJPLM100" = Canon Inkjet Printer/Scanner/Fax Extended Survey Program
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"com.Shutterfly.ExpressUploader" = Shutterfly Express Uploader
"CyberDefender-TB Toolbar" = CyberDefender-TB Toolbar
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Digital Editions" = Adobe Digital Editions
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-WebPrint" = Easy-WebPrint
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ESPNMotion" = ESPNMotion
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MP Navigator EX 2.1" = Canon MP Navigator EX 2.1
"mr97310v_8fc043e368ed4ab95d4dd84ca3ab57d6a65de509" = Windows Driver Package - Camera Maker (MR97310_VGA_DUAL_CAMERA) Image 03/07/2006 2.0.1.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Neat Image_is1" = Neat Image v5.6 Home
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhoTagsExpress" = PhoTags Express
"PROSet" = Intel® PRO Network Connections Drivers
"RawShooter essentials 2005" = RawShooter essentials 2005
"RealPlayer 12.0" = RealPlayer
"Secunia PSI" = Secunia PSI (2.0.0.4003)
"Sound Blaster Audigy ADVANCED MB Product Registration" = Sound Blaster Audigy ADVANCED MB Product Registration
"SpeedConnect Connection Tester_is1" = SpeedConnect Connection Tester
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SyncBackSE_is1" = SyncBackSE
"TeamViewer 5" = TeamViewer 5
"ViewpointMediaPlayer" = Viewpoint Media Player
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Central" = Yahoo! Central
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2984770657-741461230-1056844531-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BeadCreatorPro" = BeadCreatorPro
"f031ef6ac137efc5" = Dell Driver Download Manager
"Google Chrome" = Google Chrome
"PocketMirror" = PocketMirror 3.1.2 (Standard Edition)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 28/12/2011 15:20:33 | Computer Name = D481R191 | Source = Microsoft Office 11 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Office Outlook.

Error - 28/12/2011 15:34:57 | Computer Name = D481R191 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module , version 0.0.0.0, fault address 0x00000000.

Error - 28/12/2011 16:24:47 | Computer Name = D481R191 | Source = Media Center Phone Service | ID = 8
Description = Initializing the telephony service failed with error 0x80040005.

Error - 28/12/2011 16:25:17 | Computer Name = D481R191 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 28/12/2011 17:23:42 | Computer Name = D481R191 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module mshtml.dll, version 8.0.6001.19170, fault address 0x000a2317.

Error - 28/12/2011 22:42:26 | Computer Name = D481R191 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x02450ff3.

Error - 29/12/2011 08:11:23 | Computer Name = D481R191 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module mshtml.dll, version 8.0.6001.19170, fault address 0x000a2317.

Error - 29/12/2011 14:24:19 | Computer Name = D481R191 | Source = Media Center Phone Service | ID = 8
Description = Initializing the telephony service failed with error 0x80040005.

Error - 30/12/2011 13:30:54 | Computer Name = D481R191 | Source = Media Center Phone Service | ID = 8
Description = Initializing the telephony service failed with error 0x80040005.

Error - 31/12/2011 13:14:45 | Computer Name = D481R191 | Source = Media Center Phone Service | ID = 8
Description = Initializing the telephony service failed with error 0x80040005.

[ SyncBackSE Events ]
Error - 13/02/2009 22:17:18 | Computer Name = D481R191 | Source = SyncBackSE | ID = 101
Description =

[ System Events ]
Error - 30/12/2011 23:54:44 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 30/12/2011 23:55:32 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 31/12/2011 00:11:28 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 31/12/2011 00:30:41 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 31/12/2011 00:34:20 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 31/12/2011 00:35:41 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 31/12/2011 00:35:41 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 31/12/2011 00:49:07 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 31/12/2011 00:50:03 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 31/12/2011 00:50:03 | Computer Name = D481R191 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058


< End of report >

-------------







RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xF64B8000 C:\WINDOWS\system32\DRIVERS\TM_CFW.sys 1998848 bytes (Trend Micro Inc., Trend Micro NDIS 5.0 Intermedia Driver (i386-fre))
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAA625000 C:\WINDOWS\system32\drivers\sigfilt.sys 1351680 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xF67FF000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1052672 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF075000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xF72A2000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA87F7000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF66A0000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA8917000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9A820000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF157000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9A8A0000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF041000 C:\WINDOWS\System32\ialmdev5.DLL 212992 bytes (Intel Corporation, Component GHAL Driver)
0x9A9B0000 C:\WINDOWS\system32\DRIVERS\tmcomm.sys 212992 bytes (Trend Micro Inc., TrendMicro Common Module)
0x9A47F000 C:\WINDOWS\system32\DRIVERS\ctoss2k.sys 196608 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))
0xF66FE000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF740F000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9AA0C000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7275000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAA793000 C:\WINDOWS\system32\drivers\sthda.sys 184320 bytes (SigmaTel, Inc., DELLRC)
0xA8867000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF67C3000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA88EF000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0x9A4AF000 C:\WINDOWS\system32\drivers\ctusfsyn.sys 159744 bytes (Creative Technology Ltd., Creative SoundFont Synthesizer)
0x9A459000 C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys 155648 bytes (Creative Technology Ltd, SoundFont® Manager (WDM))
0xF73B9000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF6779000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xA88C9000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAA76F000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF679F000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6756000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0x99AAD000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xA88A7000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 135168 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7381000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF73DF000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0x9A959000 C:\WINDOWS\system32\DRIVERS\tmactmon.sys 118784 bytes (Trend Micro Inc., TrendMicro Activity Monitor Module)
0xF725B000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x9B2EB000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0x9B2D2000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF73A1000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x9B31A000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7342000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF673F000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9A7B9000 C:\WINDOWS\system32\drivers\PfModNT.sys 94208 bytes (Creative Technology Ltd., PCI/ISA Device Info. Service)
0xF7359000 drvmcdb.sys 90112 bytes (Sonic Solutions, Device Driver)
0x9B304000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xA8892000 C:\WINDOWS\system32\DRIVERS\tmtdi.sys 86016 bytes (Trend Micro Inc., Trend Micro TDI Driver (i386-fre))
0x9A524000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF67EB000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA8970000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF732F000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF736F000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0x9A976000 C:\WINDOWS\system32\DRIVERS\tmevtmgr.sys 73728 bytes (Trend Micro Inc., TrendMicro Event Management Module)
0xF73FE000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF672E000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA8601000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF75FE000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76BE000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF760E000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF779E000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF769E000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF757E000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF762E000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF755E000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF764E000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF774E000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF761E000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF754E000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF763E000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x9B542000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF753E000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF767E000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF766E000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF75EE000 C:\WINDOWS\System32\Drivers\AFS2K.SYS 36864 bytes (Oak Technology Inc., Audio File System)
0x9A3C9000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF756E000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xAA010000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF75DE000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xAA050000 C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF765E000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF75AE000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA6408000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xF773E000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78FE000 C:\WINDOWS\system32\drivers\Afc.sys 32768 bytes (Arcsoft, Inc., Arcsoft® ASPI Shell)
0xF78A6000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xAA3C8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF78EE000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF789E000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF77BE000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF78D6000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7876000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7906000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7926000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF792E000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF78F6000 C:\WINDOWS\system32\drivers\pfc.sys 24576 bytes (Padus, Inc., Padus® ASPI Shell)
0xF787E000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF7846000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF78E6000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF78AE000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF78B6000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF77C6000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7916000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF77CE000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF791E000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF790E000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xA65B8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0x998CD000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xAA4FC000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x9F725000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF7A12000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF7962000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xA62F2000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF794E000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF649C000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xAA51C000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF720A000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xAA518000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF79F6000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x9A729000 C:\WINDOWS\system32\DRIVERS\psi_mf.sys 12288 bytes (Secunia, Secunia PSI Driver)
0xF6C9B000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x9A79D000 C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 12288 bytes
0xF7A3E000 00000032 8192 bytes
0xF7AC0000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A42000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xA454C000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7ABE000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A3E000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7AC4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7AC6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A90000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7A92000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xA156C000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7A94000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A40000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C78000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7C49000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7BCB000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B06000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x9CB61000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0x9CB63000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
!!!!!!!!!!!Hidden driver: 0x86FCA528 00000104 0 bytes
==============================================
>Stealth
==============================================
0x86F71F70 Unknown page with executable code, 144 bytes
0x86F745F6 Unknown page with executable code, 2570 bytes
0x86F765AA Unknown page with executable code, 2646 bytes
0x86F740C3 Unknown thread object [ ETHREAD 0x86FC8020 ] TID: 112, 600 bytes
0x86F75A11 Unknown thread object [ ETHREAD 0x86FC7020 ] TID: 124, 600 bytes

#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:50 PM

Posted 01 January 2012 - 10:56 AM

Hi-

Thank you for the logs. On the redirects, are you being redirect to the same site every time? If so, which site? Does it matter which internet browser you are using?

Let's get cleaning up - download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Delete your current copy of TDSSKiller and download a fesh copy of TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. C:\TDSSKiller.2.6.21.0_23.07.2010_15.31.43_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

In your reply, please copy in the the ComboFix report and the TDSSKiller report. How is your computer running now? If you still being redirected, send me the answers to the questions from above.
Shannon

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:50 PM

Posted 04 January 2012 - 08:27 PM

Hi-

Are you still in need of assistance?
Shannon

#6 ana_z

ana_z
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 04 January 2012 - 08:39 PM

Yes!
Sorry, though I did select to be notified when you replied, I only just now saw a note that you had replied.
I will take a look now and follow your directions and get back to you shortly.

#7 ana_z

ana_z
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 05 January 2012 - 12:13 PM

Hi Shannon,

I downloaded ComboFix and disabled antivirus, malware stuff and ran combofix. It ran a number of schedules and then started to delete files and then directories. It rebooted my system and I logged on. Combofix started running again. I left it overnight to run. It was still sitting at the ComboFix screen this morning with the this may take a while prompt. I figured it stalled and rebooted. The combofix.txt file is attached. It is quite short. I am wondering if I need to rerun. While the system is faster I still get what I think is part of the malware. WHen I shut my system down, I get audio of some news or music station coming through just as everything quits. This was something that would start up while my system was running as well, regardless of IE running or not.

I tried running tdsskiller that I had re-downloaded but even after renaming I could not run. rebooted to safe mode and tried there as well. TDSSKILLER renamed to 123abc.com or anything else will not run.

Thanks
ana_z

Attached Files



#8 ana_z

ana_z
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 05 January 2012 - 12:15 PM

Also, forgot to add. There is not one web page that it gets redirected to.

thanks again
ana_z

#9 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:50 PM

Posted 05 January 2012 - 03:55 PM

Hi-

Delete the copy of ComboFix from your desktop, download a fresh copy, and run it.
Shannon

#10 ana_z

ana_z
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 05 January 2012 - 11:32 PM

Hi Shannon,

I downloaded a new version of ComboFix, reran that. Attached is txt file.

Then downloaded new tdsskiller.zip again. Unzipped, renamed and it still won't run.

Tried it in normal mode with virus protection etc off. Tried it in safe mode. Just won't run.

What am I missing?

Thanks

ana_z

Attached Files



#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:50 PM

Posted 06 January 2012 - 09:30 AM

Hi-

Glad to see that ComboFix ran ok. Don't worry about TDSSKiller for now. We need to do some clean up and run another couple of scans.

First, close any open browsers.

Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"=-
"AllowOutboundSourceQuench"=-
"AllowOutboundParameterProblem"=-
"AllowOutboundTimeExceeded"=-
"AllowRedirect"=-

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Next, please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Then, please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If the AV Scan window appears, select (none).
  • Click Scan (if asked to update the Avast anti-virus definitions, click on No).
  • When you get the "Scan finished successfully" message, click the save log button, save it to your desktop (MBR.txt) and post it in your next reply.
  • It will also copy the MBR (Master Boot Record) into a file on your desktop as MBR.dat.

In your reply, please copy in the three reports produced from the above runs ( do not attach). Leave the MBR.dat file on your desktop. Do you still have the redirects?
Shannon

#12 ana_z

ana_z
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 07 January 2012 - 11:45 AM

Hi Shannon,

Yes, unfortunately I still do have the redirects.
Here are the three files you requested.
thanks!

ComboFix 12-01-06.01 - Our Home Account 06/01/2012 14:08:33.4.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.698 [GMT -7:00]
Running from: c:\documents and settings\Our Home Account\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Our Home Account\Desktop\CFScript.txt
AV: PC Cleaners *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Firewall Booster *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\SET22.tmp
c:\windows\system32\SET23.tmp
c:\windows\system32\SET6D.tmp
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET70.tmp
c:\windows\system32\SET7C.tmp
c:\windows\system32\SET7F.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2012-01-05 16:43 . 2012-01-05 16:43 -------- d--h--w- c:\windows\PIF
2012-01-03 20:07 . 2012-01-03 20:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\CyberDefender-TB
2011-12-27 21:24 . 2011-12-27 21:24 -------- d-----w- c:\documents and settings\Our Home Account\Local Settings\Application Data\Secunia PSI
2011-12-27 05:06 . 2011-12-27 05:06 302592 ----a-w- C:\ps8gvp32.exe
2011-12-27 04:52 . 2011-12-27 04:52 607260 ------r- C:\dds.scr
2011-12-27 04:51 . 2011-12-27 04:51 50477 ----a-w- C:\Defogger.exe
2011-12-27 04:25 . 2011-12-27 04:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Secunia PSI
2011-12-27 04:25 . 2011-12-27 04:25 -------- d-----w- c:\program files\Secunia
2011-12-27 04:23 . 2011-12-27 04:24 1754456 ----a-w- C:\PSISetup.exe
2011-12-27 03:26 . 2011-12-27 03:26 1578288 ----a-w- C:\iexplore.com.exe
2011-12-27 01:59 . 2011-12-27 01:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-12-27 01:52 . 2011-12-27 01:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-12-27 01:51 . 2011-12-27 01:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-26 17:41 . 2011-12-26 17:41 -------- d-----w- c:\documents and settings\Our Home Account\Application Data\Malwarebytes
2011-12-26 17:35 . 2011-12-26 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-26 17:35 . 2012-01-01 00:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-26 17:35 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-26 17:13 . 2011-12-26 17:13 -------- d-----w- c:\program files\Conduit
2011-12-26 17:13 . 2011-12-26 17:12 96200 ----a-w- c:\windows\system32\drivers\CDAVFS.sys
2011-12-26 17:13 . 2012-01-05 16:23 -------- d-----w- c:\documents and settings\Our Home Account\Local Settings\Application Data\CyberDefender-TB
2011-12-26 17:13 . 2011-12-26 17:13 -------- d-----w- c:\documents and settings\Our Home Account\Local Settings\Application Data\Conduit
2011-12-26 17:13 . 2011-12-26 17:13 -------- d-----w- c:\program files\CyberDefender-TB
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-27 05:36 . 2011-12-27 05:36 4741 ----a-w- C:\attach.zip
2011-12-26 23:08 . 2011-05-16 20:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2005-08-16 10:18 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2005-08-16 10:18 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2005-08-16 10:18 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2005-08-16 10:18 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2005-08-16 10:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-24 21:29 . 2011-10-24 21:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 21:29 . 2011-10-24 21:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-15 00:38 . 2005-08-16 10:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2006-01-08 03:16 . 2006-01-08 03:15 11817800 -c----w- c:\program files\GoogleEarth.exe
2006-01-08 03:12 . 2006-01-08 03:11 1951432 -c----w- c:\program files\ppviewer.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ffb11c0c-da90-4969-a995-8dca2e0fc10a}"= "c:\program files\CyberDefender-TB\prxtbCybe.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ffb11c0c-da90-4969-a995-8dca2e0fc10a}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffb11c0c-da90-4969-a995-8dca2e0fc10a}]
2011-05-09 08:49 176936 ----a-w- c:\program files\CyberDefender-TB\prxtbCybe.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ffb11c0c-da90-4969-a995-8dca2e0fc10a}"= "c:\program files\CyberDefender-TB\prxtbCybe.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ffb11c0c-da90-4969-a995-8dca2e0fc10a}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FFB11C0C-DA90-4969-A995-8DCA2E0FC10A}"= "c:\program files\CyberDefender-TB\prxtbCybe.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ffb11c0c-da90-4969-a995-8dca2e0fc10a}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YCentral"="c:\program files\Yahoo!\YCentral\YahooCentral.exe" [2006-02-24 413208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-07-30 497000]
"Reader Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"Reader Application Helper"="c:\program files\Sony\ReaderDesktop\appHelper\readerAppHelper.exe" [2011-09-24 892928]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MovingCacheA Wininet Settings"="c:\windows\system32\wininet.dll" [2011-11-04 916992]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-13 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1434:UDP"= 1434:UDP:*:Disabled:DPANSQL
.
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [10/04/2011 22:02 341072]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [10/04/2011 21:27 188272]
S2 gupdate1ca24e2903dd5c;Google Update Service (gupdate1ca24e2903dd5c);c:\program files\Google\Update\GoogleUpdate.exe [24/08/2009 10:40 133104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [26/12/2011 10:35 652872]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [13/10/2011 23:01 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [13/10/2011 23:01 399416]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/04/2011 21:30 64080]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [24/08/2009 10:40 133104]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [26/12/2011 10:35 20464]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [07/03/2006 08:43 111872]
S3 MSSQL$ADMINDB;MSSQL$ADMINDB;c:\program files\Microsoft SQL Server\MSSQL$ADMINDB\Binn\sqlservr.exe -sADMINDB --> c:\program files\Microsoft SQL Server\MSSQL$ADMINDB\Binn\sqlservr.exe -sADMINDB [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 01:30 15544]
S3 SQLAgent$ADMINDB;SQLAgent$ADMINDB;c:\program files\Microsoft SQL Server\MSSQL$ADMINDB\Binn\sqlagent.EXE -i ADMINDB --> c:\program files\Microsoft SQL Server\MSSQL$ADMINDB\Binn\sqlagent.EXE -i ADMINDB [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-01-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 15:52]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-24 17:40]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-24 17:40]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2984770657-741461230-1056844531-1008Core.job
- c:\documents and settings\Our Home Account\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-09 20:45]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2984770657-741461230-1056844531-1008UA.job
- c:\documents and settings\Our Home Account\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-09 20:45]
.
2012-01-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2984770657-741461230-1056844531-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 16:47]
.
2012-01-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2984770657-741461230-1056844531-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 16:47]
.
2012-01-05 c:\windows\Tasks\SyncBackSE hort file backup.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2009-01-08 23:20]
.
2011-12-19 c:\windows\Tasks\{95E0259B-9203-425E-8292-C7CD2DFAE5D8}_D481R191_Our Home Account.job
- c:\windows\system32\mobsync.exe [2005-08-16 00:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://ww.google.ca/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: drivercheck.ca\emanda
TCP: DhcpNameServer = 64.59.135.133 64.59.135.135 64.59.128.120
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-06 14:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2984770657-741461230-1056844531-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
Completion time: 2012-01-06 15:01:43
ComboFix-quarantined-files.txt 2012-01-06 22:01
.
Pre-Run: 17,199,955,968 bytes free
Post-Run: 17,240,670,208 bytes free
.
- - End Of File - - 6A5D77A126BE5A4622DD5D468FEFFE52



Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.06.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Our Home Account :: D481R191 [administrator]

Protection: Disabled

06/01/2012 20:08:58
mbam-log-2012-01-07 (09-35-12).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 323148
Time elapsed: 4 hour(s), 22 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Qoobox\Quarantine\C\Documents and Settings\Our Home Account\Application Data\dplaysvr.exe.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\Our Home Account\Application Data\dplayx.dll.vir (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1877\A0225441.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1877\A0225659.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

(end)



aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-07 09:23:46
-----------------------------
09:23:46.876 OS Version: Windows 5.1.2600 Service Pack 3
09:23:46.876 Number of processors: 2 586 0x403
09:23:46.876 ComputerName: D481R191 UserName:
09:24:07.611 Initialze error 0 - driver not loaded
09:26:27.173 Service scanning
09:26:29.923 Modules scanning
09:26:29.923 Disk 0 trace - called modules:
09:26:29.923
09:26:29.923 Scan finished successfully
09:27:06.001 The log file has been saved successfully to "C:\Documents and Settings\Our Home Account\Desktop\aswMBR.txt"

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:50 PM

Posted 07 January 2012 - 03:06 PM

Hi-

The aswMBR didn't run correctly either. Try it again in safe mode. It probably won't run correctly there either, but it is worth a try. Either way, we will try another piece of software.

Please download MBRCheck by clicking here and save it to your desktop.
  • Be sure to disable your security programs.
  • Double click on the file to run it.
  • A window will open on your desktop.
  • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter.
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
  • Please post the contents of that file in your next reply.

Please copy in both reports - aswMBR and MBRCheck.
Shannon

#14 ana_z

ana_z
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 07 January 2012 - 05:56 PM

I could not get aswMBR to run again, even in safe mode
but MBRCheck did run ok.


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000009c

Kernel Drivers (total 105):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF7A8C000 \WINDOWS\system32\KDCOM.DLL
0xF799C000 \WINDOWS\system32\BOOTVID.dll
0xF753D000 ACPI.sys
0xF7A8E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF752C000 pci.sys
0xF758C000 isapnp.sys
0xF7B54000 pciide.sys
0xF780C000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF759C000 MountMgr.sys
0xF750D000 ftdisk.sys
0xF7A90000 dmload.sys
0xF74E7000 dmio.sys
0xF7814000 PartMgr.sys
0xF75AC000 VolSnap.sys
0xF74CF000 atapi.sys
0xF75BC000 disk.sys
0xF75CC000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74AF000 fltmgr.sys
0xF749D000 sr.sys
0xF7487000 drvmcdb.sys
0xF781C000 PxHelp20.sys
0xF7470000 KSecDD.sys
0xF745D000 WudfPf.sys
0xF73D0000 Ntfs.sys
0xF73A3000 NDIS.sys
0xF7389000 Mup.sys
0xF7308000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF795C000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF72E4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF798C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF72BE000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF786C000 \SystemRoot\system32\drivers\pfc.sys
0xF75EC000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xF787C000 \SystemRoot\system32\drivers\Afc.sys
0xF7A98000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF75FC000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF760C000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF729B000 \SystemRoot\system32\DRIVERS\ks.sys
0xF78CC000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF761C000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF762C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A54000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7284000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF763C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF764C000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7924000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7273000 \SystemRoot\system32\DRIVERS\psched.sys
0xF765C000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF794C000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7964000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7243000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF766C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF785C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7874000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A9E000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF71BD000 \SystemRoot\system32\DRIVERS\update.sys
0xF7A7C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6FD5000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xF767C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF768C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AAA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7A38000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7AAE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BB2000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AB2000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78A4000 \SystemRoot\system32\drivers\ssrtln.sys
0xF78B4000 \SystemRoot\System32\drivers\vga.sys
0xF6F99000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF7AB6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78DC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78EC000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A48000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF6F3E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF6EE5000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF6EBF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF6E97000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7233000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF6E75000 \SystemRoot\System32\drivers\afd.sys
0xF769C000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF6E4A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF6DDA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7954000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF76BC000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7994000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF6FAD000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF76CC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7854000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7A30000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7A40000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF6D9A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AC4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6F5D000 \SystemRoot\System32\drivers\Dxapi.sys
0xF790C000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B63000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xF67A2000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBF012000 \SystemRoot\System32\ATMFD.DLL
0xF5E29000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7894000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xF5D8E000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 16):
0 System Idle Process
4 System
828 C:\WINDOWS\system32\smss.exe
876 csrss.exe
900 C:\WINDOWS\system32\winlogon.exe
944 C:\WINDOWS\system32\services.exe
956 C:\WINDOWS\system32\lsass.exe
1120 C:\WINDOWS\system32\svchost.exe
1208 svchost.exe
1388 C:\WINDOWS\system32\svchost.exe
1448 svchost.exe
1560 svchost.exe
472 C:\WINDOWS\explorer.exe
748 C:\WINDOWS\system32\ctfmon.exe
1740 C:\Program Files\Internet Explorer\iexplore.exe
812 C:\Documents and Settings\Our Home Account\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600JS-75NCB1, Rev: 10.02E01

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 38BE7869FCCF026F920DA4A541B12E68993C36ED


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:50 PM

Posted 07 January 2012 - 08:55 PM

Hi-

It looks like MBRCheck found a problem with your Master Boot Record. You need to make a copy of the MBR and to send it to me.

Re-Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter
    [1] Dump the MBR of a physical disk to file.
    and press the Enter key
  • The program will ask for the file name to dump to, type dump.txt and press Enter. You should see Dumped successfully.
  • Next, type -1 and press Enter. Next press Enter again, and the program will exit.
  • Save it to your desktop then attach the resultant output to your next reply.

Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users