Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zeroaccess infection


  • This topic is locked This topic is locked
37 replies to this topic

#1 smithd

smithd

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 03 January 2012 - 06:42 PM

Hi,
I have a windows XP PC that was acting weirdly about a month ago. I ran malware scanners and finally ComboFix which detected and removed ZeroAccess rootkit. Or at least I thought so. Since then the PC has experienced intermittent hijacking of URLs. I ran Malwarebytes but foudn nothing. I ran Combofix and it detected the zeroaccess rootkit and tried to remove it. However, on rerunning Combofix, it detected it again, and it again tried to remove it. I have run Combofix at least 4 more times with the same result. I ran the ESET On-line scanner and it detected zeroaccess but only in the windows "restore" files. I turned off/on System Restore to delete those files and reran the ESET on-line scanner and it no longer detects ZeroAccess. I ran the ESET ZeroAccess detection software and it also does not detect the rootkit. I then downloaded and ran TDSS Killer and it does not find the rootkit. I also downloaded and ran "SypHunter" and it did not detect the rootkit. So the only scanner that now sees the infection is ComboFix. I uninstalled it and reinstalled a fresh copy but have the same results. I am pasting the ComboFix Log and asking for help.
Thanks
Don

ComboFix 12-01-03.04 - William Wood 01/03/2012 15:57:41.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.645 [GMT -5:00]
Running from: c:\documents and settings\William Wood\Desktop\ComboFix1.exe
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-03 20:28 . 2012-01-03 20:50 -------- d-----w- C:\sh4ldr
2012-01-03 20:28 . 2012-01-03 20:28 -------- d-----w- c:\program files\Enigma Software Group
2012-01-03 20:27 . 2012-01-03 20:49 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-03 20:27 . 2012-01-03 20:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-12-29 23:57 . 2011-12-29 23:57 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-03_17.43.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-03 20:56 . 2012-01-03 20:56 16384 c:\windows\temp\Perflib_Perfdata_11c.dat
+ 2012-01-03 21:04 . 2012-01-03 21:04 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 27499 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCall.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\0bda7bdfaf440d5dd4bc6a1dea7ffa39\System.Web.Routing.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\6e29f9faa74a48b83a13a3413b826295\System.Web.Extensions.Design.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\be8965fe859bc53dff61579bf626858b\System.Web.Entity.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\8441b3eb247e0344fede848337ee911c\System.Web.Entity.Design.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\09c6a41f187ba483486cdb92dad714a1\System.Web.DynamicData.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5efb726d424b9712632eff749411fa89\System.Web.Abstractions.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\f374e8e7849a72d1470b4a6a0771a137\System.Data.Entity.Design.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\439732479756e0f6df88d29e50a402bf\ServiceModelReg.ni.exe
+ 2012-01-03 20:27 . 2012-01-03 20:27 180382 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla21.exe
+ 2012-01-03 20:49 . 2012-01-03 20:49 180382 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla21.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 175992 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla20.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 176035 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla2.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 176035 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla19.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 179340 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla18.exe
+ 2012-01-03 20:49 . 2012-01-03 20:49 176545 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla17.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 179340 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\05c29118462056cf810df0b6aa660d05\System.WorkflowServices.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\26b3258c559dc0ab6bdce481ffd458b3\System.Workflow.Runtime.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\1642d1b72cd84caf24cbe7c5e8fd8368\System.Workflow.ComponentModel.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\32ce12c3c2049f2df94c44c94b052e16\System.Workflow.Activities.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:05 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f63ae1310e004777e880f28377bcddd2\System.Web.Services.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\c99b02434e71ca9898bebbc08d63e885\System.Web.Mobile.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c8f78b9e94857fdf6c2a378dd1629ee0\System.Web.Extensions.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ae749b024162e9ac79110c633b5ce6be\System.ServiceModel.Web.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\f35064c125799df650c1a959d8fa450b\System.Data.Services.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a86c12788293105a0d9fda1bc90c90bc\Microsoft.VisualBasic.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 11817472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\2dac4fc006596760cd4988d0bfd52ff0\System.ServiceModel.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PHONEslips.lnk - s:\pslips\PSWIN32.EXE [2009-6-11 8192]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 118104]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/22/2011 12:03 PM 974944]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 16:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-01-03 16:09:03
ComboFix-quarantined-files.txt 2012-01-03 21:09
ComboFix2.txt 2012-01-03 19:11
ComboFix3.txt 2012-01-03 17:46
ComboFix4.txt 2011-12-30 00:44
ComboFix5.txt 2012-01-03 19:30
.
Pre-Run: 63,306,391,552 bytes free
Post-Run: 63,298,039,808 bytes free
.
- - End Of File - - 5794106AC9A69976045BF5F4061D5043

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:25 PM

Posted 04 January 2012 - 03:02 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:




Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 smithd

smithd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 04 January 2012 - 06:39 PM

Hi Agent ST, thank you for your quick response. I am pasting the logs that you requested.
A few comments first.
1. After running TDSS Killer, and selecting "skip" and then "continue", the option to "Reboot now" was not there. I rebooted anywhay
2. When setting up GMER, in the right panel, the label is "Files C:\" and not "Drives C:\"
3. When trying to download the OTL report, the first link to "http://oldtimer..." was not valid. I did a Google search to get to the download.
4. When trying to get to the OTL report, the second link to "http://www.ITXassociates..." required a username and password which I didn't have.

Here are the logs:
TDSS Killer:
12:23:52.0187 2676 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
12:23:52.0593 2676 ============================================================
12:23:52.0593 2676 Current date / time: 2012/01/04 12:23:52.0593
12:23:52.0593 2676 SystemInfo:
12:23:52.0593 2676
12:23:52.0593 2676 OS Version: 5.1.2600 ServicePack: 3.0
12:23:52.0593 2676 Product type: Workstation
12:23:52.0593 2676 ComputerName: KENPC
12:23:52.0593 2676 UserName: William Wood
12:23:52.0593 2676 Windows directory: C:\WINDOWS
12:23:52.0593 2676 System windows directory: C:\WINDOWS
12:23:52.0593 2676 Processor architecture: Intel x86
12:23:52.0593 2676 Number of processors: 2
12:23:52.0593 2676 Page size: 0x1000
12:23:52.0593 2676 Boot type: Normal boot
12:23:52.0593 2676 ============================================================
12:23:54.0796 2676 Initialize success
12:24:30.0890 2752 ============================================================
12:24:30.0890 2752 Scan started
12:24:30.0890 2752 Mode: Manual; SigCheck; TDLFS;
12:24:30.0890 2752 ============================================================
12:24:31.0234 2752 10849 - ok
12:24:31.0250 2752 1293D - ok
12:24:31.0281 2752 19938 - ok
12:24:31.0328 2752 2143E8 - ok
12:24:31.0343 2752 507D - ok
12:24:31.0359 2752 82311 - ok
12:24:31.0375 2752 Abiosdsk - ok
12:24:31.0421 2752 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
12:24:33.0593 2752 abp480n5 - ok
12:24:33.0734 2752 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:24:34.0015 2752 ACPI - ok
12:24:34.0078 2752 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:24:34.0296 2752 ACPIEC - ok
12:24:34.0359 2752 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
12:24:34.0578 2752 adpu160m - ok
12:24:34.0625 2752 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:24:34.0796 2752 aec - ok
12:24:34.0859 2752 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:24:34.0968 2752 AFD - ok
12:24:34.0984 2752 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
12:24:35.0156 2752 agp440 - ok
12:24:35.0203 2752 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
12:24:35.0359 2752 agpCPQ - ok
12:24:35.0375 2752 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
12:24:35.0468 2752 Aha154x - ok
12:24:35.0484 2752 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
12:24:35.0609 2752 aic78u2 - ok
12:24:35.0640 2752 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
12:24:35.0812 2752 aic78xx - ok
12:24:35.0812 2752 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
12:24:36.0000 2752 AliIde - ok
12:24:36.0046 2752 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
12:24:36.0859 2752 alim1541 - ok
12:24:37.0000 2752 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
12:24:37.0171 2752 amdagp - ok
12:24:37.0250 2752 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
12:24:37.0359 2752 amsint - ok
12:24:37.0390 2752 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
12:24:37.0562 2752 asc - ok
12:24:37.0625 2752 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
12:24:37.0703 2752 asc3350p - ok
12:24:37.0703 2752 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
12:24:37.0859 2752 asc3550 - ok
12:24:37.0921 2752 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:24:38.0078 2752 AsyncMac - ok
12:24:38.0140 2752 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:24:38.0250 2752 atapi - ok
12:24:38.0265 2752 Atdisk - ok
12:24:38.0312 2752 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:24:38.0484 2752 Atmarpc - ok
12:24:38.0546 2752 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:24:38.0734 2752 audstub - ok
12:24:38.0796 2752 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:24:39.0187 2752 Beep - ok
12:24:39.0484 2752 catchme - ok
12:24:39.0609 2752 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
12:24:39.0828 2752 cbidf - ok
12:24:39.0843 2752 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:24:39.0953 2752 cbidf2k - ok
12:24:40.0000 2752 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
12:24:40.0140 2752 cd20xrnt - ok
12:24:40.0156 2752 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:24:40.0328 2752 Cdaudio - ok
12:24:40.0375 2752 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:24:40.0562 2752 Cdfs - ok
12:24:40.0593 2752 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:24:40.0765 2752 Cdrom - ok
12:24:40.0781 2752 Changer - ok
12:24:40.0843 2752 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
12:24:41.0000 2752 CmdIde - ok
12:24:41.0046 2752 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
12:24:41.0203 2752 Cpqarray - ok
12:24:41.0265 2752 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
12:24:41.0437 2752 dac2w2k - ok
12:24:41.0500 2752 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
12:24:41.0671 2752 dac960nt - ok
12:24:41.0750 2752 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:24:41.0890 2752 Disk - ok
12:24:42.0000 2752 DLABMFSM (0659e6e0a95564f958d9df7313f7701e) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
12:24:42.0609 2752 DLABMFSM - ok
12:24:42.0625 2752 DLABOIOM (8691c78908f0bd66170669db268369f2) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
12:24:42.0703 2752 DLABOIOM - ok
12:24:42.0859 2752 DLACDBHM (76167b5eb2dffc729edc36386876b40b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
12:24:42.0906 2752 DLACDBHM - ok
12:24:42.0984 2752 DLADResM (5615744a1056933b90e6ac54feb86f35) C:\WINDOWS\system32\DLA\DLADResM.SYS
12:24:43.0046 2752 DLADResM - ok
12:24:43.0078 2752 DLAIFS_M (1aeca2afa5005ce4a550cf8eb55a8c88) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
12:24:43.0125 2752 DLAIFS_M - ok
12:24:43.0140 2752 DLAOPIOM (840e7f6abb885c72b9ffddb022ef5b6d) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
12:24:43.0187 2752 DLAOPIOM - ok
12:24:43.0203 2752 DLAPoolM (0294d18731ac05da80132ce88f8a876b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
12:24:43.0265 2752 DLAPoolM - ok
12:24:43.0281 2752 DLARTL_M (91886fed52a3f9966207bce46cfd794f) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
12:24:43.0312 2752 DLARTL_M - ok
12:24:43.0312 2752 DLAUDFAM (cca4e121d599d7d1706a30f603731e59) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
12:24:43.0359 2752 DLAUDFAM - ok
12:24:43.0375 2752 DLAUDF_M (7dab85c33135df24419951da4e7d38e5) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
12:24:43.0406 2752 DLAUDF_M - ok
12:24:43.0703 2752 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:24:43.0984 2752 dmboot - ok
12:24:44.0296 2752 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:24:44.0515 2752 dmio - ok
12:24:44.0734 2752 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:24:44.0984 2752 dmload - ok
12:24:45.0046 2752 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:24:45.0203 2752 DMusic - ok
12:24:45.0328 2752 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
12:24:45.0500 2752 dpti2o - ok
12:24:45.0625 2752 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:24:45.0812 2752 drmkaud - ok
12:24:45.0859 2752 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
12:24:45.0906 2752 DRVMCDB - ok
12:24:45.0984 2752 DRVNDDM (6e6ab29d3c06e64ce81feacda85394b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
12:24:46.0015 2752 DRVNDDM - ok
12:24:46.0281 2752 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
12:24:46.0390 2752 DSproct ( UnsignedFile.Multi.Generic ) - warning
12:24:46.0390 2752 DSproct - detected UnsignedFile.Multi.Generic (1)
12:24:46.0546 2752 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
12:24:46.0703 2752 dsunidrv - ok
12:24:46.0781 2752 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
12:24:46.0968 2752 E100B - ok
12:24:47.0031 2752 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
12:24:47.0078 2752 e1express - ok
12:24:47.0187 2752 eamon (9309c5c9831203436e64cf2ae605c5d7) C:\WINDOWS\system32\DRIVERS\eamon.sys
12:24:47.0234 2752 eamon - ok
12:24:47.0484 2752 ehdrv (deff87f04ab5f6dd5edf2b80853bbe10) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
12:24:47.0546 2752 ehdrv - ok
12:24:47.0656 2752 epfw (5ba193ca0ae31209aaa39939ce6736b2) C:\WINDOWS\system32\DRIVERS\epfw.sys
12:24:47.0765 2752 epfw - ok
12:24:47.0921 2752 Epfwndis (75d3bcd3e0eded0ab0f96d9a10ff01c9) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
12:24:47.0968 2752 Epfwndis - ok
12:24:48.0109 2752 epfwtdi (dc64f26f35e32c9472bbf8acd84060d3) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
12:24:48.0171 2752 epfwtdi - ok
12:24:48.0328 2752 esgiguard - ok
12:24:48.0421 2752 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:24:48.0593 2752 Fastfat - ok
12:24:48.0640 2752 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:24:48.0828 2752 Fdc - ok
12:24:48.0859 2752 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:24:49.0031 2752 Fips - ok
12:24:49.0031 2752 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:24:49.0234 2752 Flpydisk - ok
12:24:49.0328 2752 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:24:49.0484 2752 FltMgr - ok
12:24:49.0812 2752 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:24:49.0984 2752 Fs_Rec - ok
12:24:50.0031 2752 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:24:50.0218 2752 Ftdisk - ok
12:24:50.0281 2752 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:24:50.0453 2752 Gpc - ok
12:24:50.0500 2752 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
12:24:50.0687 2752 HDAudBus - ok
12:24:50.0703 2752 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:24:50.0906 2752 HidUsb - ok
12:24:51.0218 2752 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
12:24:51.0375 2752 hpn - ok
12:24:51.0453 2752 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:24:51.0531 2752 HTTP - ok
12:24:51.0593 2752 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
12:24:51.0750 2752 i2omgmt - ok
12:24:51.0781 2752 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
12:24:51.0953 2752 i2omp - ok
12:24:52.0031 2752 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:24:52.0250 2752 i8042prt - ok
12:24:52.0468 2752 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
12:24:52.0828 2752 ialm - ok
12:24:53.0046 2752 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\drivers\iaStor.sys
12:24:53.0109 2752 iaStor - ok
12:24:53.0187 2752 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:24:53.0375 2752 Imapi - ok
12:24:53.0531 2752 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
12:24:53.0718 2752 ini910u - ok
12:24:53.0937 2752 IntcAzAudAddService (17bbbabb21f86b650b2626045a9d016c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
12:24:54.0375 2752 IntcAzAudAddService - ok
12:24:54.0515 2752 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:24:54.0765 2752 IntelIde - ok
12:24:54.0828 2752 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:24:54.0984 2752 intelppm - ok
12:24:55.0046 2752 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:24:55.0265 2752 Ip6Fw - ok
12:24:55.0296 2752 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:24:55.0484 2752 IpInIp - ok
12:24:55.0625 2752 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:24:55.0812 2752 IpNat - ok
12:24:55.0875 2752 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:24:56.0078 2752 IPSec - ok
12:24:56.0125 2752 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:24:56.0234 2752 IRENUM - ok
12:24:56.0265 2752 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:24:57.0171 2752 isapnp - ok
12:24:57.0343 2752 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:24:57.0515 2752 Kbdclass - ok
12:24:57.0562 2752 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:24:57.0718 2752 kbdhid - ok
12:24:57.0750 2752 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:24:57.0906 2752 kmixer - ok
12:24:57.0968 2752 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:24:58.0156 2752 KSecDD - ok
12:24:58.0234 2752 lbrtfdc - ok
12:24:58.0296 2752 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:24:58.0453 2752 mnmdd - ok
12:24:58.0546 2752 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:24:58.0781 2752 Modem - ok
12:24:58.0859 2752 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:24:59.0093 2752 Mouclass - ok
12:24:59.0187 2752 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:24:59.0343 2752 mouhid - ok
12:24:59.0375 2752 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:24:59.0546 2752 MountMgr - ok
12:24:59.0609 2752 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
12:24:59.0765 2752 mraid35x - ok
12:24:59.0828 2752 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:25:00.0015 2752 MRxDAV - ok
12:25:00.0109 2752 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:25:00.0281 2752 MRxSmb - ok
12:25:00.0343 2752 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:25:00.0531 2752 Msfs - ok
12:25:00.0656 2752 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:25:00.0843 2752 MSKSSRV - ok
12:25:00.0875 2752 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:25:01.0093 2752 MSPCLOCK - ok
12:25:01.0171 2752 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:25:01.0375 2752 MSPQM - ok
12:25:01.0453 2752 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:25:01.0609 2752 mssmbios - ok
12:25:01.0656 2752 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:25:01.0750 2752 Mup - ok
12:25:01.0796 2752 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:25:01.0984 2752 NDIS - ok
12:25:02.0046 2752 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:25:02.0140 2752 NdisTapi - ok
12:25:02.0203 2752 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:25:02.0375 2752 Ndisuio - ok
12:25:02.0390 2752 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:25:02.0562 2752 NdisWan - ok
12:25:02.0734 2752 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:25:02.0906 2752 NDProxy - ok
12:25:02.0953 2752 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:25:03.0156 2752 NetBIOS - ok
12:25:03.0218 2752 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:25:03.0406 2752 NetBT - ok
12:25:03.0468 2752 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:25:03.0671 2752 Npfs - ok
12:25:03.0812 2752 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:25:04.0046 2752 Ntfs - ok
12:25:04.0140 2752 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:25:04.0312 2752 Null - ok
12:25:04.0500 2752 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
12:25:04.0765 2752 nv - ok
12:25:04.0812 2752 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:25:04.0968 2752 NwlnkFlt - ok
12:25:05.0015 2752 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:25:05.0156 2752 NwlnkFwd - ok
12:25:05.0203 2752 Packet (8f856dae19383bd69db444004d5d4f50) C:\WINDOWS\system32\DRIVERS\packet.sys
12:25:05.0265 2752 Packet ( UnsignedFile.Multi.Generic ) - warning
12:25:05.0265 2752 Packet - detected UnsignedFile.Multi.Generic (1)
12:25:05.0359 2752 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:25:05.0562 2752 Parport - ok
12:25:05.0593 2752 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:25:05.0765 2752 PartMgr - ok
12:25:05.0937 2752 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:25:06.0125 2752 ParVdm - ok
12:25:06.0156 2752 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:25:06.0343 2752 PCI - ok
12:25:06.0375 2752 PCIDump - ok
12:25:06.0437 2752 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:25:06.0609 2752 PCIIde - ok
12:25:06.0640 2752 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:25:06.0812 2752 Pcmcia - ok
12:25:06.0890 2752 PDCOMP - ok
12:25:06.0937 2752 PDFRAME - ok
12:25:06.0937 2752 PDRELI - ok
12:25:06.0953 2752 PDRFRAME - ok
12:25:07.0015 2752 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
12:25:07.0156 2752 perc2 - ok
12:25:07.0187 2752 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
12:25:07.0359 2752 perc2hib - ok
12:25:07.0437 2752 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:25:07.0609 2752 PptpMiniport - ok
12:25:07.0625 2752 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:25:07.0781 2752 PSched - ok
12:25:07.0812 2752 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:25:07.0968 2752 Ptilink - ok
12:25:08.0046 2752 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
12:25:08.0093 2752 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning
12:25:08.0093 2752 PxHelp20 - detected UnsignedFile.Multi.Generic (1)
12:25:08.0171 2752 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
12:25:08.0343 2752 ql1080 - ok
12:25:08.0375 2752 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
12:25:08.0546 2752 Ql10wnt - ok
12:25:08.0593 2752 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
12:25:09.0453 2752 ql12160 - ok
12:25:09.0609 2752 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
12:25:09.0843 2752 ql1240 - ok
12:25:09.0921 2752 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
12:25:10.0140 2752 ql1280 - ok
12:25:10.0171 2752 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:25:10.0328 2752 RasAcd - ok
12:25:10.0390 2752 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:25:10.0562 2752 Rasl2tp - ok
12:25:10.0625 2752 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:25:10.0781 2752 RasPppoe - ok
12:25:10.0812 2752 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:25:10.0984 2752 Raspti - ok
12:25:11.0015 2752 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:25:11.0250 2752 Rdbss - ok
12:25:11.0281 2752 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:25:11.0437 2752 RDPCDD - ok
12:25:11.0515 2752 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:25:11.0656 2752 rdpdr - ok
12:25:11.0718 2752 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
12:25:11.0765 2752 RDPWD - ok
12:25:11.0875 2752 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:25:12.0062 2752 redbook - ok
12:25:12.0171 2752 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:25:12.0281 2752 Secdrv - ok
12:25:12.0328 2752 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:25:12.0484 2752 serenum - ok
12:25:12.0531 2752 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:25:12.0718 2752 Serial - ok
12:25:12.0796 2752 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:25:12.0968 2752 Sfloppy - ok
12:25:12.0968 2752 Simbad - ok
12:25:13.0046 2752 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
12:25:13.0218 2752 sisagp - ok
12:25:13.0281 2752 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
12:25:13.0359 2752 Sparrow - ok
12:25:13.0421 2752 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:25:13.0578 2752 splitter - ok
12:25:13.0625 2752 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:25:13.0734 2752 sr - ok
12:25:13.0812 2752 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:25:13.0937 2752 Srv - ok
12:25:14.0000 2752 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:25:14.0156 2752 swenum - ok
12:25:14.0187 2752 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:25:14.0375 2752 swmidi - ok
12:25:14.0421 2752 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
12:25:14.0546 2752 symc810 - ok
12:25:14.0562 2752 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
12:25:14.0703 2752 symc8xx - ok
12:25:14.0828 2752 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
12:25:14.0968 2752 sym_hi - ok
12:25:14.0984 2752 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
12:25:15.0109 2752 sym_u3 - ok
12:25:15.0156 2752 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:25:15.0281 2752 sysaudio - ok
12:25:15.0359 2752 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:25:15.0546 2752 Tcpip - ok
12:25:15.0593 2752 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:25:15.0781 2752 TDPIPE - ok
12:25:15.0828 2752 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:25:15.0984 2752 TDTCP - ok
12:25:16.0015 2752 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:25:16.0203 2752 TermDD - ok
12:25:16.0234 2752 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
12:25:16.0390 2752 TosIde - ok
12:25:16.0421 2752 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:25:16.0562 2752 Udfs - ok
12:25:16.0578 2752 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
12:25:16.0687 2752 ultra - ok
12:25:16.0750 2752 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:25:16.0953 2752 Update - ok
12:25:17.0000 2752 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:25:17.0171 2752 usbehci - ok
12:25:17.0218 2752 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:25:17.0375 2752 usbhub - ok
12:25:17.0531 2752 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:25:17.0718 2752 USBSTOR - ok
12:25:17.0750 2752 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:25:17.0890 2752 usbuhci - ok
12:25:17.0906 2752 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:25:18.0078 2752 VgaSave - ok
12:25:18.0109 2752 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
12:25:18.0328 2752 viaagp - ok
12:25:18.0375 2752 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
12:25:18.0546 2752 ViaIde - ok
12:25:18.0593 2752 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:25:18.0750 2752 VolSnap - ok
12:25:18.0796 2752 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:25:18.0953 2752 Wanarp - ok
12:25:18.0968 2752 WDICA - ok
12:25:19.0015 2752 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:25:19.0187 2752 wdmaud - ok
12:25:19.0296 2752 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:25:19.0453 2752 WS2IFSL - ok
12:25:19.0500 2752 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:25:19.0718 2752 \Device\Harddisk0\DR0 - ok
12:25:19.0718 2752 Boot (0x1200) (c9c12e1ed54536d91d138451ecbc9d65) \Device\Harddisk0\DR0\Partition0
12:25:19.0718 2752 \Device\Harddisk0\DR0\Partition0 - ok
12:25:19.0718 2752 ============================================================
12:25:19.0718 2752 Scan finished
12:25:19.0718 2752 ============================================================
12:25:19.0828 2744 Detected object count: 3
12:25:19.0828 2744 Actual detected object count: 3
12:25:37.0578 2744 DSproct ( UnsignedFile.Multi.Generic ) - skipped by user
12:25:37.0578 2744 DSproct ( UnsignedFile.Multi.Generic ) - User select action: Skip
12:25:37.0578 2744 Packet ( UnsignedFile.Multi.Generic ) - skipped by user
12:25:37.0578 2744 Packet ( UnsignedFile.Multi.Generic ) - User select action: Skip
12:25:37.0593 2744 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user
12:25:37.0593 2744 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip
12:25:55.0218 2672 Deinitialize success


GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-04 13:23:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
Running: gmer.exe; Driver: C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xA95564B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0xA95567F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xA9556AB0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xA95565D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0xA95568B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xA9556350]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xA9556410]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xA9556570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xA9556630]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xA9556530]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xA95564F0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xA9556670]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0xA9556870]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xA95563B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xA9556430]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0xA9556830]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xA9556370]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xA9556470]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xA95565F0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [B0, 63, 55, A9, 30, 64, 55, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[300] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

OTL TXT:

OTL logfile created on: 1/4/2012 1:31:03 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\William Wood\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.10 Mb Total Physical Memory | 553.18 Mb Available Physical Memory | 54.60% Memory free
2.38 Gb Paging File | 2.04 Gb Available in Paging File | 85.68% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 58.97 Gb Free Space | 79.21% Space Free | Partition Type: NTFS
Drive E: | 976.11 Mb Total Space | 968.47 Mb Free Space | 99.22% Space Free | Partition Type: FAT
Drive S: | 149.05 Gb Total Space | 144.96 Gb Free Space | 97.26% Space Free | Partition Type: NTFS

Computer Name: KENPC | User Name: William Wood | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/04 13:29:48 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\William Wood\Desktop\OTL.com
PRC - [2011/09/22 12:03:30 | 000,974,944 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2011/09/22 12:03:02 | 003,080,264 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/09/16 18:22:08 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/25 11:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe
PRC - [2006/09/13 09:32:12 | 000,128,536 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/13 11:25:59 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll
MOD - [2011/10/13 10:40:27 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
MOD - [2011/10/13 09:18:41 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2006/11/05 10:28:18 | 004,587,520 | R--- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\ROXIPP41.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/09/22 12:03:30 | 000,974,944 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2009/09/16 18:22:08 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2007/05/25 11:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) [Auto | Running] -- C:\Program Files\Dell Network Assistant\hnm_svc.exe -- (hnmsvc)
SRV - [2007/05/24 06:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/03/19 12:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/09/13 09:32:12 | 000,128,536 | ---- | M] (iAnywhere Solutions, Inc.) [Auto | Running] -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe -- (QuickBooksDB18)


========== Driver Services (SafeList) ==========

DRV - [2011/08/09 14:24:52 | 000,154,136 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2011/08/09 09:37:28 | 000,039,824 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2011/08/04 09:20:38 | 000,147,480 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2011/08/04 09:20:38 | 000,061,936 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2011/08/04 09:20:36 | 000,118,104 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2007/06/13 20:41:44 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/12/18 19:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\packet.sys -- (Packet)
DRV - [2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071011
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071011
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071011
IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071011
IE - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2008/11/26 11:56:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2011/12/01 15:37:03 | 000,000,000 | ---D | M]

[2009/01/26 10:10:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\William Wood\Application Data\Mozilla\Firefox\Profiles\20zcdekw.default\extensions
[2008/11/26 14:37:46 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\William Wood\Application Data\Mozilla\Firefox\Profiles\20zcdekw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/06/09 13:17:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\REAL-NETWORKS@PARTNERS.MOZILLA.COM
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\TALKBACK@MOZILLA.ORG

O1 HOSTS File: ([2011/12/29 19:21:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - Startup: C:\Documents and Settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk = S:\pslips\PSWIN32.EXE (Telexis, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O15 - HKU\S-1-5-21-2623010235-2279801242-1299087553-1006\..Trusted Domains: Server ([]file in Local intranet)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1275602224640 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} https://166.82.112.172/cab/OCXChecker_8310.cab (OCXDownloadChecker Control)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} http://166.82.219.228/cab/DownloadFile_8110.cab (DownloadFile Control)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://modernimpressions.webex.com/client/T27LB/webex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} http://67.77.12.20/cab/DownloadCenter_8200.cab (DownloadCenter Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.25.5.60 24.25.5.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5BB2E80D-42BE-467F-95DE-206D62F48B76}: DhcpNameServer = 24.25.5.60 24.25.5.61
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\William Wood\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\William Wood\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/04 13:30:07 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\William Wood\Desktop\OTL.com
[2012/01/04 12:23:33 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\William Wood\Desktop\tdsskiller.exe
[2012/01/03 16:10:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/01/03 15:50:02 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/01/03 15:28:17 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2012/01/03 15:28:17 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012/01/03 15:27:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2012/01/03 13:54:16 | 004,367,676 | R--- | C] (Swearware) -- C:\Documents and Settings\William Wood\Desktop\ComboFix1.exe
[2009/07/03 10:00:49 | 000,028,759 | ---- | C] ( ) -- C:\WINDOWS\GV_AccessIni_Memory.dll
[4 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/04 13:29:48 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\William Wood\Desktop\OTL.com
[2012/01/04 12:30:57 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\William Wood\Desktop\gmer.zip
[2012/01/04 12:29:55 | 000,003,633 | ---- | M] () -- C:\WINDOWS\pslips.ini
[2012/01/04 12:29:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/04 12:29:27 | 1062,387,712 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/04 12:23:23 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\William Wood\Desktop\tdsskiller.exe
[2012/01/03 15:30:10 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\William Wood\Desktop\Shortcut to Data (S) on Server.lnk
[2012/01/03 13:54:08 | 004,367,676 | R--- | M] (Swearware) -- C:\Documents and Settings\William Wood\Desktop\ComboFix1.exe
[2012/01/03 12:22:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/03 12:22:20 | 000,246,312 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/29 19:57:56 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/12/29 19:54:54 | 000,443,232 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/29 19:54:54 | 000,072,372 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/29 19:21:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/12/29 19:04:24 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\William Wood\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/29 15:31:55 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/29 10:58:30 | 000,017,384 | -HS- | M] () -- C:\Documents and Settings\William Wood\Local Settings\Application Data\gbn301xf0wxh22ad6h015b6ctxemy8jf6cqmq
[2011/12/29 10:58:30 | 000,017,384 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\gbn301xf0wxh22ad6h015b6ctxemy8jf6cqmq
[4 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/04 12:30:56 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\William Wood\Desktop\gmer.zip
[2012/01/03 13:48:26 | 1062,387,712 | -HS- | C] () -- C:\hiberfil.sys
[2011/12/29 19:04:24 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\William Wood\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/29 09:39:40 | 000,017,384 | -HS- | C] () -- C:\Documents and Settings\William Wood\Local Settings\Application Data\gbn301xf0wxh22ad6h015b6ctxemy8jf6cqmq
[2011/12/29 09:39:40 | 000,017,384 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\gbn301xf0wxh22ad6h015b6ctxemy8jf6cqmq
[2011/06/09 13:09:43 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/06/09 13:09:43 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/06/09 13:09:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/06/09 13:09:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/06/09 13:09:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/06/09 13:06:28 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/09 07:18:48 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17424164r
[2011/06/09 07:18:48 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17424164
[2011/06/09 07:17:38 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17424164
[2010/10/06 08:39:05 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\William Wood\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/10 14:35:33 | 000,000,284 | ---- | C] () -- C:\WINDOWS\GvSaveImage.ini
[2009/07/03 10:00:49 | 000,253,952 | ---- | C] () -- C:\WINDOWS\JxIni.dll
[2009/07/03 10:00:49 | 000,213,065 | ---- | C] () -- C:\WINDOWS\GV_GeoPTZini.dll
[2009/04/17 02:07:40 | 000,000,093 | ---- | C] () -- C:\WINDOWS\System32\imon1.dat
[2009/03/16 10:32:09 | 000,003,633 | ---- | C] () -- C:\WINDOWS\pslips.ini
[2008/11/26 11:57:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/04/21 09:48:44 | 000,000,185 | ---- | C] () -- C:\WINDOWS\GeoLan.ini
[2008/04/21 09:48:18 | 000,000,022 | ---- | C] () -- C:\WINDOWS\LanViewlog.dat
[2008/04/21 09:39:44 | 000,000,082 | ---- | C] () -- C:\WINDOWS\GeoPAL.ini
[2008/04/21 09:30:47 | 000,000,137 | ---- | C] () -- C:\WINDOWS\multiview.ini
[2008/04/21 09:30:04 | 000,139,264 | ---- | C] () -- C:\WINDOWS\GeoEditAVIDll.dll
[2007/12/17 12:13:21 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/12/17 12:08:36 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2007/12/17 12:08:35 | 000,000,225 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2007/12/17 12:08:35 | 000,000,065 | ---- | C] () -- C:\WINDOWS\System32\BD8460N.DAT
[2007/12/17 12:07:48 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2007/12/17 12:03:57 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2007/10/18 15:08:07 | 000,000,194 | ---- | C] () -- C:\Documents and Settings\William Wood\Application Data\wklnhst.dat
[2007/10/11 16:11:02 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/10/11 16:00:18 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2007/10/11 16:00:18 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/10/11 15:36:48 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2007/10/11 15:36:40 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2007/10/11 15:34:29 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/11/07 04:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/01/17 02:10:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL
[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 13:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 12:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 12:57:15 | 000,246,312 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 12:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 12:51:20 | 000,443,232 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 12:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 12:51:20 | 000,072,372 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 12:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 12:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 12:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 12:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 12:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 12:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 12:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 12:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/09 20:00:42 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\William Wood\My Documents\OneNote Notebooks:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\William Wood\My Documents\New Folder:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\William Wood\My Documents\My Received Files:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\William Wood\My Documents\FORMS:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\William Wood\My Documents\APPRAISALS:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\William Wood\Desktop\cam07:Roxio EMC Stream

< End of report >

OTL Extras:

OTL Extras logfile created on: 1/4/2012 1:31:03 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\William Wood\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.10 Mb Total Physical Memory | 553.18 Mb Available Physical Memory | 54.60% Memory free
2.38 Gb Paging File | 2.04 Gb Available in Paging File | 85.68% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 58.97 Gb Free Space | 79.21% Space Free | Partition Type: NTFS
Drive E: | 976.11 Mb Total Space | 968.47 Mb Free Space | 99.22% Space Free | Partition Type: FAT
Drive S: | 149.05 Gb Total Space | 144.96 Gb Free Space | 97.26% Space Free | Partition Type: NTFS

Computer Name: KENPC | User Name: William Wood | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htafile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"10421:UDP" = 10421:UDP:*:Enabled:SingleClick Discovery Protocol
"10426:UDP" = 10426:UDP:*:Enabled:SingleClick ICC

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Dell Network Assistant\ezi_hnm2.exe" = C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant -- (SingleClick Systems)
"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Program Files\v8200\DMMultiView\MultiView.exe" = C:\Program Files\v8200\DMMultiView\MultiView.exe:*:Enabled:MultiView -- ( )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0240BDFB-2995-4A3F-8C96-18D41282B716}" = Dell Network Assistant
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0434E275-020A-4A2E-B35A-D5652E464E32}" = DMMultiView
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = QualxServ Service Agreement
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{22F97839-122D-4082-99D6-4AA6C36DF525}" = ESET Smart Security
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{2C6C74C2-042F-4D36-B7B0-0C538FCF01AB}" = Dell DataSafe Online
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71C97545-E547-4A8B-B0C8-61FF853270AC}" = PaperPort
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.8.0
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Codec_264" = GeoVision H264
"Codec_amp4" = GeoVision MPEG4 ASP
"Codec_AVC" = GeoVision MPEG4 AVC
"Codec_jpeg" = GeoVision JPEG
"Codec_mp2" = GeoVision MPEG2
"ESET Online Scanner" = ESET Online Scanner v3
"GeoADPCM" = GeoVision ADPCM
"GEOXCodec" = GeoVision MPEG4
"Google Desktop" = Google Desktop
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SearchAssist" = SearchAssist
"WIC" = Windows Imaging Component
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Script" = Microsoft Windows Script 5.7
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/3/2012 1:31:34 PM | Computer Name = KENPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/3/2012 1:31:34 PM | Computer Name = KENPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/3/2012 1:31:34 PM | Computer Name = KENPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/3/2012 1:31:35 PM | Computer Name = KENPC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/3/2012 1:50:55 PM | Computer Name = KENPC | Source = QuickBooks | ID = 4
Description =

Error - 1/3/2012 1:50:55 PM | Computer Name = KENPC | Source = QuickBooks | ID = 4
Description =

Error - 1/3/2012 1:50:55 PM | Computer Name = KENPC | Source = QuickBooks | ID = 4
Description =

Error - 1/3/2012 1:51:08 PM | Computer Name = KENPC | Source = QuickBooks | ID = 4
Description =

Error - 1/3/2012 1:51:17 PM | Computer Name = KENPC | Source = QuickBooks | ID = 4
Description =

Error - 1/4/2012 2:30:56 PM | Computer Name = KENPC | Source = Application Hang | ID = 1002
Description = Hanging application OTL.com, version 3.2.31.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/3/2012 4:52:51 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/3/2012 4:52:51 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/3/2012 4:52:51 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/3/2012 4:52:52 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/3/2012 4:52:52 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/3/2012 4:52:52 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/3/2012 4:52:52 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/3/2012 4:52:52 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/3/2012 4:52:52 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 1/3/2012 4:52:52 PM | Computer Name = KENPC | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126


< End of report >


Thank you your help
Don

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:25 PM

Posted 05 January 2012 - 01:42 AM

Good Evening Don!

1. After running TDSS Killer, and selecting "skip" and then "continue", the option to "Reboot now" was not there. I rebooted anywhay

Okay, thanks for that information.

2. When setting up GMER, in the right panel, the label is "Files C:\" and not "Drives C:\"

I'll have to check into that and see if my instructions for the tool need to be updated. Thanks for bringing that to my attention!

3. When trying to download the OTL report, the first link to "http://oldtimer..." was not valid. I did a Google search to get to the download.

That's weird. I was able to access the link just fine when I just tried it. But it's possible the developer was in the process of updating the tool when you were attempting to download it.

4. When trying to get to the OTL report, the second link to "http://www.ITXassociates..." required a username and password which I didn't have.

That's really weird, I'm getting the same thing when I attempt to access that link. I'm currently looking into that right now, and appreciate you informing me of such.

Before we get started, I'd really like to get a look at the previous log files for ComboFix that you have on your computer, so that I can see what was done whne it was ran.

Please follow these instructions for accessing the previous log files below.

It would be extremely helpful if you could post each log file in it's own reply, that way it'll help to differentiate the log files from one another.

Locating ComboFix Log
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Click on Qoobox in the left-hand window pane
  • Look for ComboFix2.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here.

Please repeat the above process for the other ComboFix.txt log files below and post them each in there own reply.

ComboFix3.txt
ComboFix4.txt
ComboFix5.txt

Kindest Regards,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 smithd

smithd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 05 January 2012 - 05:47 PM

Hi Agent ST,
FYI, my link to the www.oldtimer..." works OK. It must have been the mouse :=).
Yes, I will send individual replies for each log. It didn't even cross my mind in my last transmission to break them up, even though I had trouble scanning thru them.
Here is ComboFix2.txt

ComboFix 12-01-03.04 - William Wood 01/03/2012 14:01:42.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.647 [GMT -5:00]
Running from: c:\documents and settings\William Wood\Desktop\ComboFix1.exe
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2011-12-29 23:57 . 2011-12-29 23:57 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-03_17.43.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-03 19:00 . 2012-01-03 19:00 16384 c:\windows\temp\Perflib_Perfdata_274.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PHONEslips.lnk - s:\pslips\PSWIN32.EXE [2009-6-11 8192]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 118104]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/22/2011 12:03 PM 974944]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 14:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-01-03 14:11:44
ComboFix-quarantined-files.txt 2012-01-03 19:11
ComboFix2.txt 2012-01-03 17:46
ComboFix3.txt 2011-12-30 00:44
ComboFix4.txt 2011-12-30 00:23
ComboFix5.txt 2012-01-03 18:55
.
Pre-Run: 63,626,530,816 bytes free
Post-Run: 63,643,549,696 bytes free
.
- - End Of File - - 8CE59BAA32F7A94D7819E2ABE99ACC1D

#6 smithd

smithd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 05 January 2012 - 05:50 PM

Here is ComboFix3.txt

ComboFix 12-01-03.04 - William Wood 01/03/2012 12:34:45.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.638 [GMT -5:00]
Running from: c:\combofix1\ComboFix.exe
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2011-12-29 23:57 . 2011-12-29 23:57 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-01_20.02.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-03 17:33 . 2012-01-03 17:33 16384 c:\windows\temp\Perflib_Perfdata_28c.dat
+ 2012-01-03 17:33 . 2012-01-03 17:33 16384 c:\windows\temp\Perflib_Perfdata_260.dat
- 2007-10-11 20:51 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2007-10-11 20:51 . 2011-11-08 13:46 46080 c:\windows\system32\tzchange.exe
- 2004-08-10 17:51 . 2011-11-06 11:12 72372 c:\windows\system32\perfc009.dat
+ 2004-08-10 17:51 . 2011-12-30 00:54 72372 c:\windows\system32\perfc009.dat
- 2004-08-10 17:51 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 66560 c:\windows\system32\mshtmled.dll
+ 2007-08-13 23:54 . 2011-11-04 19:20 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 23:54 . 2011-08-22 23:48 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 25600 c:\windows\system32\jsproxy.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll
+ 2009-05-14 19:49 . 2011-08-04 14:20 61936 c:\windows\system32\drivers\epfwtdi.sys
+ 2009-05-14 19:49 . 2011-08-09 14:37 39824 c:\windows\system32\drivers\epfwndis.sys
+ 2009-06-16 15:40 . 2011-11-04 19:20 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-16 15:40 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-12-11 20:35 . 2011-11-04 19:20 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-12-11 20:35 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2011-10-28 05:31 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2011-12-25 08:49 . 2011-12-25 08:49 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
- 2011-07-08 18:00 . 2011-07-08 18:00 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-12-25 16:07 . 2011-12-25 16:07 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
- 2011-07-07 16:04 . 2011-07-07 16:04 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2011-07-07 16:04 . 2011-07-07 16:04 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2011-07-07 16:03 . 2011-07-07 16:03 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2011-07-07 17:09 . 2011-07-07 17:09 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-12-25 04:49 . 2011-12-25 04:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2011-07-07 17:09 . 2011-07-07 17:09 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2011-12-25 04:49 . 2011-12-25 04:49 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2011-12-01 20:37 . 2011-12-01 20:37 10134 c:\windows\Installer\{22F97839-122D-4082-99D6-4AA6C36DF525}\callmsi.exe
+ 2011-12-30 00:56 . 2011-08-22 23:48 12800 c:\windows\ie8updates\KB2618444-IE8\xpshims.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 66560 c:\windows\ie8updates\KB2618444-IE8\mshtmled.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 55296 c:\windows\ie8updates\KB2618444-IE8\msfeedsbs.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 43520 c:\windows\ie8updates\KB2618444-IE8\licmgr10.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 25600 c:\windows\ie8updates\KB2618444-IE8\jsproxy.dll
+ 2011-12-30 00:57 . 2011-12-30 00:57 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_bbe67e98\System.Drawing.Design.dll
+ 2011-12-30 00:57 . 2011-12-30 00:57 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_c3455d6e\CustomMarshalers.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-12-30 00:57 . 2011-12-30 00:57 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-13 14:10 . 2011-10-13 14:10 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2011-12-29 22:49 . 2011-12-29 22:49 8192 c:\windows\ERDNT\subs(2)\Users(2)\00000008\UsrClass.dat
+ 2011-12-29 22:49 . 2011-12-29 22:49 8192 c:\windows\ERDNT\subs(2)\Users(2)\00000004(2)\UsrClass.dat
+ 2011-12-29 22:49 . 2011-12-29 22:49 8192 c:\windows\ERDNT\subs(2)\Users(2)\00000002(2)\UsrClass.dat
+ 2011-12-30 00:54 . 2011-12-30 00:54 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2004-08-10 17:51 . 2011-08-22 23:48 916480 c:\windows\system32\wininet(3).dll
- 2004-08-10 17:51 . 2011-08-22 23:48 105984 c:\windows\system32\url.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 105984 c:\windows\system32\url.dll
+ 2004-08-10 17:51 . 2011-08-22 23:48 105984 c:\windows\system32\url(3).dll
+ 2004-08-10 17:51 . 2011-12-30 00:54 443232 c:\windows\system32\perfh009.dat
- 2004-08-10 17:51 . 2011-11-06 11:12 443232 c:\windows\system32\perfh009.dat
+ 2004-08-10 17:51 . 2011-11-04 19:20 206848 c:\windows\system32\occache.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 206848 c:\windows\system32\occache.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 611840 c:\windows\system32\mstime.dll
+ 2007-08-13 23:54 . 2011-11-04 19:20 602112 c:\windows\system32\msfeeds.dll
- 2007-08-13 23:54 . 2011-08-22 23:48 602112 c:\windows\system32\msfeeds.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 184320 c:\windows\system32\iepeers.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 184320 c:\windows\system32\iepeers.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-10 17:51 . 2011-11-04 11:24 174080 c:\windows\system32\ie4uinit.exe
- 2004-08-10 17:51 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe
- 2004-08-10 17:57 . 2011-10-13 15:39 246312 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-10 17:57 . 2012-01-03 17:22 246312 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-14 19:49 . 2011-08-04 14:20 147480 c:\windows\system32\drivers\epfw.sys
+ 2009-05-14 19:47 . 2011-08-04 14:20 118104 c:\windows\system32\drivers\ehdrv.sys
+ 2009-05-14 19:41 . 2011-08-09 19:24 154136 c:\windows\system32\drivers\eamon.sys
+ 2004-08-10 17:51 . 2011-11-04 19:20 916992 c:\windows\system32\dllcache\wininet.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 611840 c:\windows\system32\dllcache\mstime.dll
- 2007-12-11 20:35 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-12-11 20:35 . 2011-11-04 19:20 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-06-16 15:40 . 2011-11-04 19:20 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-06-16 15:40 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-09 12:25 . 2011-11-04 19:20 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-09 12:25 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-10 17:51 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-10 17:51 . 2011-11-04 11:24 174080 c:\windows\system32\dllcache\ie4uinit.exe
- 2011-02-09 13:53 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll
+ 2011-02-09 13:53 . 2011-10-18 11:13 186880 c:\windows\system32\dllcache\encdec.dll
- 2011-12-01 18:56 . 2011-06-09 19:34 196126 c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
+ 2011-12-29 23:53 . 2011-12-05 17:04 196126 c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
+ 2011-12-25 08:49 . 2011-12-25 08:49 436496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2011-07-07 16:04 . 2011-07-07 16:04 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2011-07-07 16:01 . 2011-07-07 16:01 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2011-12-25 03:53 . 2011-12-25 03:53 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2011-12-25 04:49 . 2011-12-25 04:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2011-07-07 17:09 . 2011-07-07 17:09 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-12-25 10:40 . 2011-12-25 10:40 819200 c:\windows\Installer\124d36.msp
+ 2011-12-01 20:37 . 2011-12-01 20:37 105624 c:\windows\Installer\{22F97839-122D-4082-99D6-4AA6C36DF525}\egui.exe
+ 2011-12-30 00:56 . 2011-08-22 23:48 916480 c:\windows\ie8updates\KB2618444-IE8\wininet.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 105984 c:\windows\ie8updates\KB2618444-IE8\url.dll
+ 2011-12-30 00:56 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2618444-IE8\spuninst\updspapi.dll
+ 2011-12-30 00:56 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2618444-IE8\spuninst\spuninst.exe
+ 2011-12-30 00:56 . 2011-08-22 23:48 206848 c:\windows\ie8updates\KB2618444-IE8\occache.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 611840 c:\windows\ie8updates\KB2618444-IE8\mstime.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 602112 c:\windows\ie8updates\KB2618444-IE8\msfeeds.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 247808 c:\windows\ie8updates\KB2618444-IE8\ieproxy.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 184320 c:\windows\ie8updates\KB2618444-IE8\iepeers.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 743424 c:\windows\ie8updates\KB2618444-IE8\iedvtool.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 387584 c:\windows\ie8updates\KB2618444-IE8\iedkcs32.dll
+ 2011-12-30 00:56 . 2011-08-22 11:56 174080 c:\windows\ie8updates\KB2618444-IE8\ie4uinit.exe
+ 2011-12-29 22:49 . 2011-12-29 22:49 536576 c:\windows\ERDNT\subs(2)\Users(2)\00000007\NTUSER.DAT
+ 2011-12-29 22:49 . 2011-12-29 22:49 376832 c:\windows\ERDNT\subs(2)\Users(2)\00000006(2)\UsrClass.dat
+ 2011-12-29 22:49 . 2011-12-29 22:49 237568 c:\windows\ERDNT\subs(2)\Users(2)\00000003(2)\NTUSER.DAT
+ 2011-12-29 22:49 . 2011-12-29 22:49 233472 c:\windows\ERDNT\subs(2)\Users(2)\00000001(2)\NTUSER.DAT
+ 2011-12-30 00:58 . 2011-12-30 00:58 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_cb33454a\System.Drawing.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_42d70083\System.Drawing.Design.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_fb49853a\CustomMarshalers.dll
+ 2011-12-30 00:57 . 2011-12-30 00:57 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\bfcea15c95909860c4f4ac19bd7a2d6c\AspNetMMCExt.ni.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-10 17:51 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon(3).dll
+ 2010-06-03 20:25 . 2011-12-29 23:58 3299096 c:\windows\system32\Restore\rstrlog.dat
+ 2004-08-10 17:51 . 2010-07-16 12:05 1288192 c:\windows\system32\ole32(3).dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 5978112 c:\windows\system32\mshtml.dll
- 2007-08-13 23:34 . 2011-08-22 23:48 2000384 c:\windows\system32\iertutil.dll
+ 2007-08-13 23:34 . 2011-11-04 19:20 2000384 c:\windows\system32\iertutil.dll
+ 2008-10-16 02:32 . 2011-11-23 13:25 1859584 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-10 17:51 . 2011-11-04 19:20 1212416 c:\windows\system32\dllcache\urlmon.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2010-07-16 12:05 . 2011-11-01 16:07 1288704 c:\windows\system32\dllcache\ole32.dll
- 2009-04-16 07:32 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2009-04-16 07:32 . 2011-10-25 13:33 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
- 2009-04-16 07:32 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-04-16 07:32 . 2011-10-25 12:52 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
- 2009-02-07 23:02 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-02-07 23:02 . 2011-10-25 12:52 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-04-16 07:32 . 2011-10-25 13:37 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2009-04-16 07:32 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-10 17:51 . 2011-11-04 19:20 5978112 c:\windows\system32\dllcache\mshtml.dll
- 2007-12-11 20:35 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2007-12-11 20:35 . 2011-11-04 19:20 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2011-12-25 08:50 . 2011-12-25 08:50 5246976 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2011-12-25 16:07 . 2011-12-25 16:07 2064384 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
+ 2011-12-25 16:06 . 2011-12-25 16:06 1269760 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2011-12-25 16:06 . 2011-12-25 16:06 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2011-07-08 17:59 . 2011-07-08 17:59 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2011-07-07 16:02 . 2011-07-07 16:02 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2011-12-25 03:54 . 2011-12-25 03:54 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2011-12-25 03:53 . 2011-12-25 03:53 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2011-07-07 16:02 . 2011-07-07 16:02 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2011-12-25 16:06 . 2011-12-25 16:06 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2011-07-08 17:59 . 2011-07-08 17:59 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-12-01 20:37 . 2011-12-01 20:37 1037824 c:\windows\Installer\debda.msi
+ 2011-12-26 14:59 . 2011-12-26 14:59 4368896 c:\windows\Installer\124d17.msp
+ 2011-12-30 00:56 . 2011-08-22 23:48 1212416 c:\windows\ie8updates\KB2618444-IE8\urlmon.dll
+ 2011-12-30 00:56 . 2011-10-03 08:35 5971456 c:\windows\ie8updates\KB2618444-IE8\mshtml.dll
+ 2011-12-30 00:56 . 2011-08-22 23:48 2000384 c:\windows\ie8updates\KB2618444-IE8\iertutil.dll
+ 2011-12-29 22:49 . 2011-12-29 22:49 3465216 c:\windows\ERDNT\subs(2)\Users(2)\00000005(2)\ntuser.dat
- 2009-04-16 07:32 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-04-16 07:32 . 2011-10-25 13:33 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2009-04-16 07:32 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-04-16 07:32 . 2011-10-25 12:52 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-07 23:02 . 2011-10-25 12:52 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2009-02-07 23:02 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2009-04-16 07:32 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-04-16 07:32 . 2011-10-25 13:37 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2011-12-30 00:57 . 2011-12-30 00:57 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_78239871\System.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_71589693\System.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_835088de\System.Xml.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_3b3d3f79\System.Xml.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 7917568 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_ce01353f\System.Windows.Forms.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 3035136 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_c92f0043\System.Windows.Forms.dll
+ 2012-01-03 17:23 . 2012-01-03 17:23 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_d4e7b3af\System.Drawing.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_a3b9646c\System.Design.dll
+ 2012-01-03 17:23 . 2012-01-03 17:23 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_09d69915\System.Design.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_bcf7c02a\mscorlib.dll
+ 2012-01-03 17:23 . 2012-01-03 17:23 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_5a7b1e52\mscorlib.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\23eb4618c9d171be9fb551a13a475a32\System.IdentityModel.ni.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-10-08 13:37 . 2010-10-08 13:37 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2011-12-30 00:58 . 2011-12-30 00:58 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 5246976 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2011-10-13 14:17 . 2011-10-13 14:17 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-12-30 00:54 . 2011-12-30 00:54 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2010-10-07 12:28 . 2011-10-13 14:17 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2010-10-07 12:28 . 2011-12-30 00:54 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-10-13 14:10 . 2011-10-13 14:10 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2011-12-30 00:57 . 2011-12-30 00:57 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2011-12-30 00:57 . 2011-12-30 00:57 2064384 c:\windows\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2011-12-30 00:57 . 2011-12-30 00:57 1269760 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2007-10-29 13:18 . 2011-12-30 00:50 52988224 c:\windows\system32\MRT.exe
- 2007-08-13 23:54 . 2011-08-23 21:48 11081728 c:\windows\system32\ieframe.dll
+ 2007-08-13 23:54 . 2011-11-04 19:20 11081728 c:\windows\system32\ieframe.dll
- 2007-12-11 20:35 . 2011-08-23 21:48 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2007-12-11 20:35 . 2011-11-04 19:20 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-12-26 22:02 . 2011-12-26 22:02 12482048 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2656353\M2656353Uninstall.msp
+ 2011-12-26 14:02 . 2011-12-26 14:02 19677184 c:\windows\Installer\124d30.msp
+ 2011-12-30 00:56 . 2011-08-23 21:48 11081728 c:\windows\ie8updates\KB2618444-IE8\ieframe.dll
+ 2011-12-30 00:56 . 2011-12-30 00:56 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\9e15d80ffb037e9171fa4bd2e0233497\System.Design.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PHONEslips.lnk - s:\pslips\PSWIN32.EXE [2009-6-11 8192]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 118104]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/22/2011 12:03 PM 974944]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
2010-12-16 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
2011-06-26 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 12:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-01-03 12:46:22
ComboFix-quarantined-files.txt 2012-01-03 17:46
ComboFix2.txt 2011-12-30 00:44
ComboFix3.txt 2011-12-30 00:23
ComboFix4.txt 2011-12-29 23:32
ComboFix5.txt 2011-12-30 00:45
.
Pre-Run: 61,116,579,840 bytes free
Post-Run: 61,127,778,304 bytes free
.
- - End Of File - - 56B706C506F828C841234C781FDAAE5F

Here is ComboFix4.txt

ComboFix 11-12-29.05 - William Wood 12/29/2011 19:34:02.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.635 [GMT -5:00]
Running from: c:\combofix1\ComboFix.exe
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-11-30 15:51 . 2011-11-30 22:01 -------- d--h--w- c:\documents and settings\William Wood\Application Data\B5A4E985
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-10-10 14:22 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-01_20.02.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-30 00:33 . 2011-12-30 00:33 16384 c:\windows\temp\Perflib_Perfdata_288.dat
+ 2011-12-30 00:32 . 2011-12-30 00:32 16384 c:\windows\temp\Perflib_Perfdata_258.dat
+ 2009-05-14 19:49 . 2011-08-04 14:20 61936 c:\windows\system32\drivers\epfwtdi.sys
+ 2009-05-14 19:49 . 2011-08-09 14:37 39824 c:\windows\system32\drivers\epfwndis.sys
+ 2011-12-01 20:37 . 2011-12-01 20:37 10134 c:\windows\Installer\{22F97839-122D-4082-99D6-4AA6C36DF525}\callmsi.exe
+ 2011-12-29 22:49 . 2011-12-29 22:49 8192 c:\windows\ERDNT\subs(2)\Users(2)\00000008\UsrClass.dat
+ 2011-12-29 22:49 . 2011-12-29 22:49 8192 c:\windows\ERDNT\subs(2)\Users(2)\00000004(2)\UsrClass.dat
+ 2011-12-29 22:49 . 2011-12-29 22:49 8192 c:\windows\ERDNT\subs(2)\Users(2)\00000002(2)\UsrClass.dat
+ 2004-08-10 17:51 . 2011-08-22 23:48 916480 c:\windows\system32\wininet(3).dll
+ 2004-08-10 17:51 . 2011-08-22 23:48 105984 c:\windows\system32\url(3).dll
+ 2004-08-10 17:57 . 2011-12-29 23:58 246312 c:\windows\system32\FNTCACHE.DAT
- 2004-08-10 17:57 . 2011-10-13 15:39 246312 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-14 19:49 . 2011-08-04 14:20 147480 c:\windows\system32\drivers\epfw.sys
+ 2009-05-14 19:47 . 2011-08-04 14:20 118104 c:\windows\system32\drivers\ehdrv.sys
+ 2009-05-14 19:41 . 2011-08-09 19:24 154136 c:\windows\system32\drivers\eamon.sys
+ 2011-12-29 23:53 . 2011-12-05 17:04 196126 c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
- 2011-12-01 18:56 . 2011-06-09 19:34 196126 c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
+ 2011-12-01 20:37 . 2011-12-01 20:37 105624 c:\windows\Installer\{22F97839-122D-4082-99D6-4AA6C36DF525}\egui.exe
+ 2011-12-29 22:49 . 2011-12-29 22:49 536576 c:\windows\ERDNT\subs(2)\Users(2)\00000007\NTUSER.DAT
+ 2011-12-29 22:49 . 2011-12-29 22:49 376832 c:\windows\ERDNT\subs(2)\Users(2)\00000006(2)\UsrClass.dat
+ 2011-12-29 22:49 . 2011-12-29 22:49 237568 c:\windows\ERDNT\subs(2)\Users(2)\00000003(2)\NTUSER.DAT
+ 2011-12-29 22:49 . 2011-12-29 22:49 233472 c:\windows\ERDNT\subs(2)\Users(2)\00000001(2)\NTUSER.DAT
+ 2004-08-10 17:51 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon(3).dll
+ 2010-06-03 20:25 . 2011-12-29 23:58 3299096 c:\windows\system32\Restore\rstrlog.dat
+ 2004-08-10 17:51 . 2010-07-16 12:05 1288192 c:\windows\system32\ole32(3).dll
+ 2011-12-01 20:37 . 2011-12-01 20:37 1037824 c:\windows\Installer\debda.msi
+ 2011-12-29 22:49 . 2011-12-29 22:49 3465216 c:\windows\ERDNT\subs(2)\Users(2)\00000005(2)\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PHONEslips.lnk - s:\pslips\PSWIN32.EXE [2009-6-11 8192]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 118104]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/22/2011 12:03 PM 974944]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
2010-12-16 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
2011-06-26 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 19:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-12-29 19:44:11
ComboFix-quarantined-files.txt 2011-12-30 00:44
ComboFix2.txt 2011-12-30 00:23
ComboFix3.txt 2011-12-29 23:32
ComboFix4.txt 2011-12-01 20:09
ComboFix5.txt 2011-12-30 00:27
.
Pre-Run: 61,581,262,848 bytes free
Post-Run: 61,585,956,864 bytes free
.
- - End Of File - - 27E807289F68297380E1AB47B49784DD

#7 smithd

smithd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 05 January 2012 - 05:52 PM

Here is ComboFix5.txt

ComboFix 11-06-09.01 - William Wood 06/09/2011 14:13:16.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.686 [GMT -4:00]
Running from: e:\combofix\ComboFix1.exe
AV: ESET Smart Security 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\17424164.exe
c:\documents and settings\All Users\Application Data\TpAjclBiRtJ.exe
c:\documents and settings\William Wood\Application Data\SystemProc
C:\LOG23C.tmp
C:\LOGD.tmp
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
c:\program files\FunWebProducts\Installr\Cache\04292389.exe
c:\program files\FunWebProducts\Installr\Cache\files.ini
c:\program files\FunWebProducts\Installr\setups\mwsbarSp.exe
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\_000005_.tmp.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
.
.
2011-06-09 18:05 . 2011-06-09 18:06 -------- d-----w- C:\ComboFix1
2011-06-09 17:51 . 2011-06-09 17:51 120832 ----a-w- c:\windows\system32\drivers\8433E8.tmp
2011-06-09 17:50 . 2011-06-09 17:50 120832 ----a-w- c:\windows\system32\drivers\10849.sys
2011-06-09 17:49 . 2011-06-09 17:49 120832 ----a-w- c:\windows\system32\drivers\6973E8.tmp
2011-06-09 17:48 . 2011-06-09 17:48 120832 ----a-w- c:\windows\system32\drivers\1293D.sys
2011-06-09 17:46 . 2011-06-09 17:46 120832 ----a-w- c:\windows\system32\drivers\5433E8.tmp
2011-06-09 17:45 . 2011-06-09 17:45 120832 ----a-w- c:\windows\system32\drivers\19938.sys
2011-06-09 17:44 . 2011-06-09 17:44 120832 ----a-w- c:\windows\system32\drivers\3783E8.tmp
2011-06-09 17:43 . 2011-06-09 17:43 120832 ----a-w- c:\windows\system32\drivers\82311.sys
2011-06-09 17:40 . 2011-06-09 17:40 120832 ----a-w- c:\windows\system32\drivers\1663E8.tmp
2011-06-09 17:40 . 2011-06-09 17:40 120832 ----a-w- c:\windows\system32\drivers\507D.sys
2011-06-09 17:33 . 2011-06-09 17:33 120832 ----a-w- c:\windows\system32\drivers\79073C.sys
2011-06-09 17:30 . 2011-06-09 17:30 120832 ----a-w- c:\windows\system32\drivers\3053E8.tmp
2011-06-09 17:27 . 2011-06-09 17:27 120832 ----a-w- c:\windows\system32\drivers\1593E8.tmp
2011-06-09 17:27 . 2011-06-09 17:27 120832 ----a-w- c:\windows\system32\drivers\3299.sys
2011-06-09 12:43 . 2011-06-09 12:43 120832 ---ha-w- c:\windows\system32\drivers\5473E8.tmp
2011-06-09 12:42 . 2011-06-09 12:42 120832 ---ha-w- c:\windows\system32\drivers\48436.sys
2011-06-09 12:40 . 2011-06-09 12:40 120832 ---ha-w- c:\windows\system32\drivers\86111.sys
2011-06-09 12:37 . 2011-06-09 12:37 120832 ---ha-w- c:\windows\system32\drivers\180D.sys
2011-06-09 12:19 . 2011-06-09 12:19 120832 ---ha-w- c:\windows\system32\drivers\682A.sys
2011-06-09 12:06 . 2011-06-09 12:06 120832 ---ha-w- c:\windows\system32\drivers\85422F7.sys
2011-06-09 12:04 . 2004-08-04 10:00 4224 ---ha-w- c:\windows\system32\beep.sys
2011-06-09 12:03 . 2011-06-09 12:03 120832 ---ha-w- c:\windows\system32\drivers\10722D5.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PHONEslips.lnk - s:\pslips\PSWIN32.EXE [2009-6-11 8192]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ---ha-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ---ha-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ---ha-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ---ha-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ---ha-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ---ha-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ---h--w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ---ha-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ---ha-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ---ha-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ---ha-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
2010-12-16 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
2011-03-20 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TpAjclBiRtJ - c:\documents and settings\All Users\Application Data\TpAjclBiRtJ.exe
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-09 14:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3684)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-06-09 14:30:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-09 18:30
.
Pre-Run: 62,951,350,272 bytes free
Post-Run: 63,245,922,304 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C2EDE9E9CFE38ECB2A69E1494D755540
ComboFix 11-12-01.03 - Administrator 12/01/2011 14:54:44.2.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.805 [GMT -5:00]
Running from: e:\malware scanners\combofix\ComboFix.exe
AV: ESET Smart Security 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\usmt\migwiz_a.exe
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-01 to 2011-12-01 )))))))))))))))))))))))))))))))
.
.
2011-12-01 18:55 . 2011-12-01 19:27 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-10 17:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-10 17:51 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-10 17:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-08-10 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 2:47 PM 731840]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
2010-12-16 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
2011-06-26 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-01 15:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2128)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft Office\Office12\ONENOTEM.EXE
c:\docume~1\WILLIA~1\LOCALS~1\Temp\tlx_app\_PSWIN32.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-12-01 15:09:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-01 20:09
ComboFix2.txt 2011-06-09 18:30
.
Pre-Run: 63,598,497,792 bytes free
Post-Run: 62,646,771,712 bytes free
.
- - End Of File - - E88120A37BF056110A23A6A6D98A5991
ComboFix 11-12-29.05 - William Wood 12/29/2011 18:11:01.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.631 [GMT -5:00]
Running from: c:\documents and settings\William Wood\Desktop\ComboFix1.exe
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\William Wood\Local Settings\Application Data\kfc.exe
c:\documents and settings\William Wood\Start Menu\Programs\Windows XP Restore
c:\documents and settings\William Wood\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Restore.lnk
c:\documents and settings\William Wood\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
c:\windows\$NtUninstallKB34301$\150179086\@
c:\windows\$NtUninstallKB34301$\150179086\bckfg.tmp
c:\windows\$NtUninstallKB34301$\150179086\cfg.ini
c:\windows\$NtUninstallKB34301$\150179086\Desktop.ini
c:\windows\$NtUninstallKB34301$\150179086\keywords
c:\windows\$NtUninstallKB34301$\150179086\kwrd.dll
c:\windows\$NtUninstallKB34301$\150179086\L\odetmngk
c:\windows\$NtUninstallKB34301$\150179086\lsflt7.ver
c:\windows\$NtUninstallKB34301$\150179086\U\00000001.@
c:\windows\$NtUninstallKB34301$\150179086\U\00000002.@
c:\windows\$NtUninstallKB34301$\150179086\U\00000004.@
c:\windows\$NtUninstallKB34301$\150179086\U\80000000.@
c:\windows\$NtUninstallKB34301$\150179086\U\80000004.@
c:\windows\$NtUninstallKB34301$\150179086\U\80000032.@
c:\windows\$NtUninstallKB34301$\17706080
c:\windows\system32\SET1256.tmp
c:\windows\system32\SET1481.tmp
c:\windows\system32\SET1939.tmp
c:\windows\system32\SET193D.tmp
c:\windows\system32\SET1941.tmp
c:\windows\system32\SET1947.tmp
c:\windows\system32\SET1AF7.tmp
c:\windows\system32\SET1C71.tmp
c:\windows\system32\SET1DA9.tmp
c:\windows\system32\SET1F61.tmp
c:\windows\system32\SET231F.tmp
c:\windows\system32\SET2328.tmp
c:\windows\system32\SET232E.tmp
c:\windows\system32\SET254F.tmp
c:\windows\system32\SET270D.tmp
c:\windows\system32\SET2712.tmp
c:\windows\system32\SET2717.tmp
c:\windows\system32\SET8C5.tmp
c:\windows\system32\SET8C6.tmp
c:\windows\system32\SET8C8.tmp
c:\windows\system32\SET8C9.tmp
c:\windows\system32\SET97C.tmp
c:\windows\system32\SET97D.tmp
c:\windows\system32\SETB69.tmp
c:\windows\system32\SETB6E.tmp
c:\windows\system32\SETB73.tmp
c:\windows\system32\SETB7B.tmp
c:\windows\system32\SETC92.tmp
c:\windows\system32\SETCAB.tmp
c:\windows\system32\SETCAC.tmp
c:\windows\system32\SETF55.tmp
c:\windows\$NtUninstallKB34301$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-29 22:49 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-01 20:37 . 2011-12-01 20:37 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ESET
2011-12-01 18:55 . 2011-12-01 20:20 -------- d-----w- c:\documents and settings\Administrator
2011-11-30 15:51 . 2011-11-30 22:01 -------- d--h--w- c:\documents and settings\William Wood\Application Data\B5A4E985
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2011-06-09 18:37 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-01_20.02.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-29 23:27 . 2011-12-29 23:27 16384 c:\windows\temp\Perflib_Perfdata_394.dat
+ 2011-12-29 23:25 . 2011-12-29 23:25 16384 c:\windows\temp\Perflib_Perfdata_25c.dat
- 2007-10-11 20:51 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2007-10-11 20:51 . 2011-11-08 13:46 46080 c:\windows\system32\tzchange.exe
- 2004-08-10 17:51 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 66560 c:\windows\system32\mshtmled.dll
+ 2007-08-13 23:54 . 2011-11-04 19:20 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 23:54 . 2011-08-22 23:48 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 25600 c:\windows\system32\jsproxy.dll
+ 2009-05-14 19:49 . 2011-08-04 14:20 61936 c:\windows\system32\drivers\epfwtdi.sys
+ 2009-05-14 19:49 . 2011-08-09 14:37 39824 c:\windows\system32\drivers\epfwndis.sys
- 2009-06-16 15:40 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-06-16 15:40 . 2011-11-04 19:20 12800 c:\windows\system32\dllcache\xpshims.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2007-12-11 20:35 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-12-11 20:35 . 2011-11-04 19:20 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-12-14 07:08 . 2011-10-28 05:31 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2011-12-01 20:37 . 2011-12-01 20:37 10134 c:\windows\Installer\{22F97839-122D-4082-99D6-4AA6C36DF525}\callmsi.exe
+ 2011-12-14 12:52 . 2011-08-22 23:48 12800 c:\windows\ie8updates\KB2618444-IE8\xpshims.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 66560 c:\windows\ie8updates\KB2618444-IE8\mshtmled.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 55296 c:\windows\ie8updates\KB2618444-IE8\msfeedsbs.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 43520 c:\windows\ie8updates\KB2618444-IE8\licmgr10.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 25600 c:\windows\ie8updates\KB2618444-IE8\jsproxy.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 105984 c:\windows\system32\url.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 105984 c:\windows\system32\url.dll
+ 2010-06-03 20:25 . 2011-12-01 20:20 970864 c:\windows\system32\Restore\rstrlog.dat
- 2004-08-10 17:51 . 2011-08-22 23:48 206848 c:\windows\system32\occache.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 206848 c:\windows\system32\occache.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 611840 c:\windows\system32\mstime.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll
+ 2007-08-13 23:54 . 2011-11-04 19:20 602112 c:\windows\system32\msfeeds.dll
- 2007-08-13 23:54 . 2011-08-22 23:48 602112 c:\windows\system32\msfeeds.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 184320 c:\windows\system32\iepeers.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 184320 c:\windows\system32\iepeers.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-10 17:51 . 2011-11-04 11:24 174080 c:\windows\system32\ie4uinit.exe
- 2004-08-10 17:51 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe
+ 2004-08-10 17:57 . 2011-12-15 12:33 246312 c:\windows\system32\FNTCACHE.DAT
- 2004-08-10 17:57 . 2011-10-13 15:39 246312 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-14 19:49 . 2011-08-04 14:20 147480 c:\windows\system32\drivers\epfw.sys
+ 2009-05-14 19:47 . 2011-08-04 14:20 118104 c:\windows\system32\drivers\ehdrv.sys
+ 2009-05-14 19:41 . 2011-08-09 19:24 154136 c:\windows\system32\drivers\eamon.sys
+ 2004-08-10 17:51 . 2011-11-04 19:20 916992 c:\windows\system32\dllcache\wininet.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 611840 c:\windows\system32\dllcache\mstime.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-12-11 20:35 . 2011-11-04 19:20 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2007-12-11 20:35 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-06-16 15:40 . 2011-11-04 19:20 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-06-16 15:40 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-06-09 12:25 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2010-06-09 12:25 . 2011-11-04 19:20 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2004-08-10 17:51 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-10 17:51 . 2011-11-04 11:24 174080 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-10 17:51 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2011-02-09 13:53 . 2011-10-18 11:13 186880 c:\windows\system32\dllcache\encdec.dll
- 2011-02-09 13:53 . 2011-02-09 13:53 186880 c:\windows\system32\dllcache\encdec.dll
+ 2007-10-11 20:39 . 2011-12-29 17:05 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2007-10-11 20:39 . 2007-10-11 20:39 262144 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2011-12-01 20:37 . 2011-12-01 20:37 105624 c:\windows\Installer\{22F97839-122D-4082-99D6-4AA6C36DF525}\egui.exe
+ 2011-12-14 12:52 . 2011-08-22 23:48 916480 c:\windows\ie8updates\KB2618444-IE8\wininet.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 105984 c:\windows\ie8updates\KB2618444-IE8\url.dll
+ 2011-12-14 12:52 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2618444-IE8\spuninst\updspapi.dll
+ 2011-12-14 12:52 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2618444-IE8\spuninst\spuninst.exe
+ 2011-12-14 12:52 . 2011-08-22 23:48 206848 c:\windows\ie8updates\KB2618444-IE8\occache.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 611840 c:\windows\ie8updates\KB2618444-IE8\mstime.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 602112 c:\windows\ie8updates\KB2618444-IE8\msfeeds.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 247808 c:\windows\ie8updates\KB2618444-IE8\ieproxy.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 184320 c:\windows\ie8updates\KB2618444-IE8\iepeers.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 743424 c:\windows\ie8updates\KB2618444-IE8\iedvtool.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 387584 c:\windows\ie8updates\KB2618444-IE8\iedkcs32.dll
+ 2011-12-14 12:52 . 2011-08-22 11:56 174080 c:\windows\ie8updates\KB2618444-IE8\ie4uinit.exe
- 2004-08-10 17:51 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 5978112 c:\windows\system32\mshtml.dll
+ 2007-08-13 23:34 . 2011-11-04 19:20 2000384 c:\windows\system32\iertutil.dll
- 2007-08-13 23:34 . 2011-08-22 23:48 2000384 c:\windows\system32\iertutil.dll
+ 2008-10-16 02:32 . 2011-11-23 13:25 1859584 c:\windows\system32\dllcache\win32k.sys
- 2004-08-10 17:51 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-10 17:51 . 2011-11-04 19:20 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2010-07-16 12:05 . 2011-11-01 16:07 1288704 c:\windows\system32\dllcache\ole32.dll
+ 2009-04-16 07:32 . 2011-10-25 13:33 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
- 2009-04-16 07:32 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
- 2009-04-16 07:32 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-04-16 07:32 . 2011-10-25 12:52 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
- 2009-02-07 23:02 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-02-07 23:02 . 2011-10-25 12:52 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-04-16 07:32 . 2011-10-25 13:37 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2009-04-16 07:32 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-10 17:51 . 2011-11-04 19:20 5978112 c:\windows\system32\dllcache\mshtml.dll
+ 2007-12-11 20:35 . 2011-11-04 19:20 2000384 c:\windows\system32\dllcache\iertutil.dll
- 2007-12-11 20:35 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2011-12-01 20:37 . 2011-12-01 20:37 1037824 c:\windows\Installer\debda.msi
+ 2011-12-14 12:52 . 2011-08-22 23:48 1212416 c:\windows\ie8updates\KB2618444-IE8\urlmon.dll
+ 2011-12-14 12:52 . 2011-10-03 08:35 5971456 c:\windows\ie8updates\KB2618444-IE8\mshtml.dll
+ 2011-12-14 12:52 . 2011-08-22 23:48 2000384 c:\windows\ie8updates\KB2618444-IE8\iertutil.dll
- 2009-04-16 07:32 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-04-16 07:32 . 2011-10-25 13:33 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2009-04-16 07:32 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-04-16 07:32 . 2011-10-25 12:52 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2009-02-07 23:02 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-02-07 23:02 . 2011-10-25 12:52 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-04-16 07:32 . 2011-10-25 13:37 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2009-04-16 07:32 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-10-29 13:18 . 2011-12-14 12:50 52988224 c:\windows\system32\MRT.exe
- 2007-08-13 23:54 . 2011-08-23 21:48 11081728 c:\windows\system32\ieframe.dll
+ 2007-08-13 23:54 . 2011-11-04 19:20 11081728 c:\windows\system32\ieframe.dll
+ 2007-12-11 20:35 . 2011-11-04 19:20 11081728 c:\windows\system32\dllcache\ieframe.dll
- 2007-12-11 20:35 . 2011-08-23 21:48 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-12-14 12:52 . 2011-08-23 21:48 11081728 c:\windows\ie8updates\KB2618444-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PHONEslips.lnk - s:\pslips\PSWIN32.EXE [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 118104]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/22/2011 12:03 PM 974944]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
2010-12-16 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
2011-06-26 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 18:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3880)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-12-29 18:32:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-29 23:32
ComboFix2.txt 2011-12-01 20:09
ComboFix3.txt 2011-06-09 18:30
.
Pre-Run: 61,582,532,608 bytes free
Post-Run: 61,941,448,704 bytes free
.
- - End Of File - - F29F1D689D9EA0A4E37107EB8BDD16CE
ComboFix 11-12-29.05 - William Wood 12/29/2011 19:12:57.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.640 [GMT -5:00]
Running from: c:\combofix1\ComboFix.exe
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\William Wood\Start Menu\Programs\Windows XP Restore
c:\documents and settings\William Wood\Start Menu\Programs\Windows XP Restore\Uninstall Windows XP Restore.lnk
c:\documents and settings\William Wood\Start Menu\Programs\Windows XP Restore\Windows XP Restore.lnk
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-2623010235-2279801242-1299087553-1006(2)\INFO2
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-12-30 00:15 . 2011-12-30 00:15 -------- d-----w- c:\windows\LastGood
2011-12-29 23:57 . 2011-12-29 23:57 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-01 20:37 . 2011-12-01 20:37 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ESET
2011-12-01 18:55 . 2011-12-29 23:57 -------- d-----w- c:\documents and settings\Administrator
2011-11-30 15:51 . 2011-11-30 22:01 -------- d--h--w- c:\documents and settings\William Wood\Application Data\B5A4E985
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-10-10 14:22 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-01_20.02.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-30 00:12 . 2011-12-30 00:12 16384 c:\windows\temp\Perflib_Perfdata_2cc.dat
+ 2011-12-30 00:11 . 2011-12-30 00:11 16384 c:\windows\temp\Perflib_Perfdata_298.dat
+ 2009-05-14 19:49 . 2011-08-04 14:20 61936 c:\windows\system32\drivers\epfwtdi.sys
+ 2009-05-14 19:49 . 2011-08-09 14:37 39824 c:\windows\system32\drivers\epfwndis.sys
+ 2011-12-01 20:37 . 2011-12-01 20:37 10134 c:\windows\Installer\{22F97839-122D-4082-99D6-4AA6C36DF525}\callmsi.exe
+ 2011-12-29 22:49 . 2011-12-29 22:49 8192 c:\windows\ERDNT\subs(2)\Users(2)\00000008\UsrClass.dat
+ 2011-12-29 22:49 . 2011-12-29 22:49 8192 c:\windows\ERDNT\subs(2)\Users(2)\00000004(2)\UsrClass.dat
+ 2011-12-29 22:49 . 2011-12-29 22:49 8192 c:\windows\ERDNT\subs(2)\Users(2)\00000002(2)\UsrClass.dat
+ 2004-08-10 17:51 . 2011-08-22 23:48 916480 c:\windows\system32\wininet(3).dll
+ 2004-08-10 17:51 . 2011-08-22 23:48 105984 c:\windows\system32\url(3).dll
+ 2004-08-10 17:57 . 2011-12-29 23:58 246312 c:\windows\system32\FNTCACHE.DAT
- 2004-08-10 17:57 . 2011-10-13 15:39 246312 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-14 19:49 . 2011-08-04 14:20 147480 c:\windows\system32\drivers\epfw.sys
+ 2009-05-14 19:47 . 2011-08-04 14:20 118104 c:\windows\system32\drivers\ehdrv.sys
+ 2009-05-14 19:41 . 2011-08-09 19:24 154136 c:\windows\system32\drivers\eamon.sys
+ 2011-12-29 23:53 . 2011-12-05 17:04 196126 c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
- 2011-12-01 18:56 . 2011-06-09 19:34 196126 c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
+ 2011-12-01 20:37 . 2011-12-01 20:37 105624 c:\windows\Installer\{22F97839-122D-4082-99D6-4AA6C36DF525}\egui.exe
+ 2011-12-29 22:49 . 2011-12-29 22:49 536576 c:\windows\ERDNT\subs(2)\Users(2)\00000007\NTUSER.DAT
+ 2011-12-29 22:49 . 2011-12-29 22:49 376832 c:\windows\ERDNT\subs(2)\Users(2)\00000006(2)\UsrClass.dat
+ 2011-12-29 22:49 . 2011-12-29 22:49 237568 c:\windows\ERDNT\subs(2)\Users(2)\00000003(2)\NTUSER.DAT
+ 2011-12-29 22:49 . 2011-12-29 22:49 233472 c:\windows\ERDNT\subs(2)\Users(2)\00000001(2)\NTUSER.DAT
+ 2004-08-10 17:51 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon(3).dll
+ 2010-06-03 20:25 . 2011-12-29 23:58 3299096 c:\windows\system32\Restore\rstrlog.dat
+ 2004-08-10 17:51 . 2010-07-16 12:05 1288192 c:\windows\system32\ole32(3).dll
+ 2011-12-01 20:37 . 2011-12-01 20:37 1037824 c:\windows\Installer\debda.msi
+ 2011-12-29 22:49 . 2011-12-29 22:49 3465216 c:\windows\ERDNT\subs(2)\Users(2)\00000005(2)\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PHONEslips.lnk - s:\pslips\PSWIN32.EXE [2009-6-11 8192]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 118104]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/22/2011 12:03 PM 974944]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
2010-12-16 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
2011-06-26 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 19:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
Completion time: 2011-12-29 19:23:33
ComboFix-quarantined-files.txt 2011-12-30 00:23
ComboFix2.txt 2011-12-29 23:32
ComboFix3.txt 2011-12-01 20:09
ComboFix4.txt 2011-06-09 18:30
.
Pre-Run: 61,599,080,448 bytes free
Post-Run: 61,616,517,120 bytes free
.
- - End Of File - - 62BD542676DC214CFD0BAF95B000019F

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:25 PM

Posted 06 January 2012 - 03:52 AM

Hi smithd!

Yes, I will send individual replies for each log. It didn't even cross my mind in my last transmission to break them up, even though I had trouble scanning thru them.

No worries.

Those logs were extremely helpful.

Please run this OTL Custom Scan below, ensuring you click on the NONE button.

OTL Custom Scan

We need to create a new OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click on the NONE button at the top.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    DSproct.sys
    packet.sys
    Pcmcia.sys
    PxHelp20.sys
    beep.sys
    /md5stop
    dir /s /a "c:\windows\$NtUninstallKB34301$" /c
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    
  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
  • OTL.txt <-- Will be opened


NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 smithd

smithd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 06 January 2012 - 05:25 PM

Hi Agent ST,
Here is the custom OTL scan:

OTL logfile created on: 1/6/2012 1:22:25 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\William Wood\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.10 Mb Total Physical Memory | 550.43 Mb Available Physical Memory | 54.33% Memory free
2.38 Gb Paging File | 2.02 Gb Available in Paging File | 84.83% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 58.91 Gb Free Space | 79.12% Space Free | Partition Type: NTFS
Drive E: | 976.11 Mb Total Space | 909.66 Mb Free Space | 93.19% Space Free | Partition Type: FAT
Drive S: | 149.05 Gb Total Space | 144.96 Gb Free Space | 97.26% Space Free | Partition Type: NTFS

Computer Name: KENPC | User Name: William Wood | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe - ()
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe - (Intuit Inc.)
MsConfig - StartUpFolder: C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk - - File not found
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: DellSupport - hkey= - key= - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
MsConfig - StartUpReg: dscactivate - hkey= - key= - C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
MsConfig - StartUpReg: Google Desktop Search - hkey= - key= - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: PaperPort PTD - hkey= - key= - C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
MsConfig - StartUpReg: PDVDDXSrv - hkey= - key= - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
MsConfig - StartUpReg: RoxioDragToDisc - hkey= - key= - C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
MsConfig - StartUpReg: RoxWatchTray - hkey= - key= - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
MsConfig - StartUpReg: SSBkgdUpdate - hkey= - key= - C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)
MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: klmdb.sys - Driver
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.4
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - Fax Provider
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{1674ae1f-f852-4ab5-a1a0-3bd7ed664745} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.geoadpcm - C:\WINDOWS\system32\v8200\GEO-ADPCM\2007.8.13.17.32\GeoADPCM.acm (GeoVision Inc.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.dmb1 - C:\WINDOWS\m3jpeg32.dll (Morgan Multimedia)
Drivers32: vidc.G264 - C:\WINDOWS\system32\v8300\GEO-H264\2008.11.17.11.45\GX264.dll (GeoVision)
Drivers32: vidc.G26S - C:\WINDOWS\system32\v8300\GEO-H264\2008.11.17.11.45\GX264D.dll (GeoVision)
Drivers32: vidc.GAVC - C:\WINDOWS\system32\v8310\GEO-H264-V2\2009.4.14.19.37\GXAVC.dll (GeoVision)
Drivers32: vidc.GAVS - C:\WINDOWS\system32\v8310\GEO-H264-V2\2009.4.14.19.37\GXAVCD.dll (GeoVision)
Drivers32: vidc.GEOS - C:\WINDOWS\system32\v8300\GEO-MPEG4\2008.11.21.11.52\GeoCodecD.dll (GeoVision)
Drivers32: vidc.GEOV - C:\WINDOWS\system32\v8300\GEO-MPEG4\2008.11.21.11.52\GeoCodec.dll (GeoVision)
Drivers32: vidc.GEOX - C:\WINDOWS\system32\v8300\GEO-MPEG4\2008.11.21.11.52\GeoCodec.dll (GeoVision)
Drivers32: vidc.GJPG - C:\WINDOWS\system32\v8310\GEO-JPEG\2009.2.13.11.5\GXJPG.dll (GeoVision)
Drivers32: vidc.GM20 - C:\WINDOWS\system32\v8300\GEO-MPEG2\2008.12.16.16.38\GXGM20.dll (GeoVision Inc.)
Drivers32: vidc.GM40 - C:\WINDOWS\system32\v8310\GEO-MPEG4-ASP\2009.4.13.18.50\GXAMP4.dll (GeoVision)
Drivers32: vidc.GM4H - C:\WINDOWS\system32\v8310\GEO-MPEG4-ASP\2009.4.13.18.50\GXAMP4D.dll (GeoVision)
Drivers32: vidc.GM4S - C:\WINDOWS\system32\v8310\GEO-MPEG4-ASP\2009.4.13.18.50\GXAMP4D.dll (GeoVision)
Drivers32: vidc.GMP4 - C:\WINDOWS\system32\v8310\GEO-MPEG4-ASP\2009.4.13.18.50\GXAMP4.dll (GeoVision)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\ir50_32.dll (Ligos Corporation)
Drivers32: vidc.MJPG - C:\WINDOWS\m3jpeg32.dll (Morgan Multimedia)
Drivers32: vidc.mpg2 - C:\WINDOWS\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mpg3 - C:\WINDOWS\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mpg4 - C:\WINDOWS\mpg4c32.dll (Microsoft Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/06/04 09:24:57 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/06/04 09:24:57 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2006/08/28 02:02:10 | 000,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\i386\atapi.sys
[2006/08/27 21:02:10 | 000,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/08/27 21:02:10 | 000,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2006/08/27 21:02:10 | 000,095,872 | ---- | M] (Microsoft Corporation) MD5=40CAACE7F2E7668148A1D45CF91E1131 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: BEEP.SYS >
[2004/08/04 05:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\i386\beep.sys
[2004/08/04 05:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\ERDNT\cache\beep.sys
[2004/08/04 05:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\beep.sys
[2004/08/04 05:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\dllcache\beep.sys
[2004/08/04 05:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=DA1F27D85E0D1525F6621372E7B685E9 -- C:\WINDOWS\system32\drivers\beep.sys

< MD5 for: DSPROCT.SYS >
[2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) MD5=413F2D5F9D802688242C23B38F767ECB -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\i386\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: PACKET.SYS >
[2006/12/18 19:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) MD5=8F856DAE19383BD69DB444004D5D4F50 -- C:\i386\packet.sys
[2006/12/18 19:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) MD5=8F856DAE19383BD69DB444004D5D4F50 -- C:\Program Files\Dell Network Assistant\Drivers\XP\packet.sys
[2006/12/18 19:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) MD5=8F856DAE19383BD69DB444004D5D4F50 -- C:\WINDOWS\system32\drivers\packet.sys
[2006/12/18 19:00:32 | 000,012,672 | ---- | M] (SingleClick Systems) MD5=A9A78BBC490D0FC81F14CDC8951137A6 -- C:\Program Files\Dell Network Assistant\Drivers\W2K\packet.sys
[2007/05/04 13:37:16 | 000,012,672 | ---- | M] (SingleClick Systems) MD5=D431240D8EAF1CF5D79D639FF272971B -- C:\Program Files\Dell Network Assistant\Drivers\WIN2000\packet.sys

< MD5 for: PCMCIA.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:Pcmcia.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:Pcmcia.sys
[2010/06/04 09:24:57 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:Pcmcia.sys
[2010/06/04 09:24:57 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:Pcmcia.sys
[2004/08/04 05:00:00 | 000,119,936 | ---- | M] (Microsoft Corporation) MD5=82A087207DECEC8456FBE8537947D579 -- C:\i386\pcmcia.sys
[2004/08/04 05:00:00 | 000,119,936 | ---- | M] (Microsoft Corporation) MD5=82A087207DECEC8456FBE8537947D579 -- C:\WINDOWS\$NtServicePackUninstall$\pcmcia.sys
[2008/04/13 13:36:43 | 000,120,192 | ---- | M] (Microsoft Corporation) MD5=9E89EF60E9EE05E3F2EEF2DA7397F1C1 -- C:\WINDOWS\ServicePackFiles\i386\pcmcia.sys
[2008/04/13 13:36:43 | 000,120,192 | ---- | M] (Microsoft Corporation) MD5=9E89EF60E9EE05E3F2EEF2DA7397F1C1 -- C:\WINDOWS\system32\drivers\pcmcia.sys

< MD5 for: PXHELP20.SYS >
[2006/07/24 03:00:00 | 000,036,528 | ---- | M] (Sonic Solutions) MD5=FEFFCFDC528764A04C8ED63D5FA6E711 -- C:\i386\pxhelp20.sys
[2006/07/24 03:00:00 | 000,036,528 | ---- | M] (Sonic Solutions) MD5=FEFFCFDC528764A04C8ED63D5FA6E711 -- C:\WINDOWS\system32\drivers\pxhelp20.sys

< MD5 for: VOLSNAP.SYS >
[2008/04/13 13:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2011/06/09 13:34:31 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/04 05:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\i386\volsnap.sys
[2004/08/04 05:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< dir /s /a "c:\windows\$NtUninstallKB34301$" /c >
Volume in drive C has no label.
Volume Serial Number is 907B-713B
Directory of C:\WINDOWS\$NTUNINSTALLKB34301$
12/29/2011 06:20 PM <DIR> .
12/29/2011 06:20 PM <DIR> ..
12/29/2011 06:56 PM <DIR> 150179086
0 File(s) 0 bytes
Directory of C:\WINDOWS\$NTUNINSTALLKB34301$\150179086
12/29/2011 06:56 PM <DIR> .
12/29/2011 06:56 PM <DIR> ..
0 File(s) 0 bytes
Total Files Listed:
0 File(s) 0 bytes
5 Dir(s) 63,251,439,616 bytes free

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -preferences
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -safe-mode
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -preferences
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -safe-mode
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/11/04 06:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< End of report >

#10 smithd

smithd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 06 January 2012 - 05:26 PM

Hi Agent ST,
Here is the FarBar scan:

Farbar Service Scanner
Ran by William Wood (administrator) on 06-01-2012 at 13:27:50
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Epfwndis(11) epfwtdi(12) Gpc(6) IPSec(4) NetBT(5) Packet(8) PSched(7) Tcpip(3)
0x0C000000040000000100000002000000030000000C0000000A00000005000000060000000700000008000000090000000B000000
IpSec Tag value is correct.

**** End of log ****

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:25 PM

Posted 07 January 2012 - 02:20 AM

Hi!

Please run this ComboFix script;

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Folder::
c:\windows\$NtUninstallKB34301$

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 smithd

smithd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 07 January 2012 - 12:44 PM

Hi Agent ST
It will be Monday before I can get back to the problem computer. Have a good weekend
Don

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:12:25 PM

Posted 08 January 2012 - 06:03 AM

Hi Don,

Thanks for letting me know! I'll look forward to your response on Monday.

SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 smithd

smithd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 09 January 2012 - 05:37 PM

Hi Agent ST,
I have the scans and will post them. FYI, I turned off the ESET security before running ComboFix scan 1. However, it detected a rootkit and rebooted. This turned ESET back on and it popped with with a notification that it found and removed a .txt threat. I let the ComboFix finish and am posting it's log as ComboFix1.txt. It then uninstalled ESET and ran ComboFix a second time. This time it DID NOT find a rootkit (yea!), and continued without rebooting. I will attach that log as ComboFix2.txt. The other logs (MalwareBytes, ESET Online-Scanner (which found a torjan as noted, and Security Check) will be posted as well.
Thanks
Don

ComboFix1.txt
ComboFix 12-01-09.03 - William Wood 01/09/2012 13:50:14.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.645 [GMT -5:00]
Running from: c:\documents and settings\William Wood\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\William Wood\Desktop\CFScript.txt
AV: ESET Smart Security 5.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstaLLKB34301$
.
.
((((((((((((((((((((((((( Files Created from 2011-12-09 to 2012-01-09 )))))))))))))))))))))))))))))))
.
.
2012-01-03 20:28 . 2012-01-03 20:50 -------- d-----w- C:\sh4ldr
2012-01-03 20:28 . 2012-01-03 20:28 -------- d-----w- c:\program files\Enigma Software Group
2012-01-03 20:27 . 2012-01-03 20:49 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-03 20:27 . 2012-01-03 20:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-12-29 23:57 . 2011-12-29 23:57 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-03_17.43.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-09 18:58 . 2012-01-09 18:58 16384 c:\windows\temp\Perflib_Perfdata_29c.dat
+ 2012-01-03 21:04 . 2012-01-03 21:04 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 27499 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCall.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\0bda7bdfaf440d5dd4bc6a1dea7ffa39\System.Web.Routing.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\6e29f9faa74a48b83a13a3413b826295\System.Web.Extensions.Design.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\be8965fe859bc53dff61579bf626858b\System.Web.Entity.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\8441b3eb247e0344fede848337ee911c\System.Web.Entity.Design.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\09c6a41f187ba483486cdb92dad714a1\System.Web.DynamicData.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5efb726d424b9712632eff749411fa89\System.Web.Abstractions.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\f374e8e7849a72d1470b4a6a0771a137\System.Data.Entity.Design.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\439732479756e0f6df88d29e50a402bf\ServiceModelReg.ni.exe
+ 2012-01-03 20:27 . 2012-01-03 20:27 180382 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla21.exe
+ 2012-01-03 20:49 . 2012-01-03 20:49 180382 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla21.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 175992 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla20.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 176035 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla2.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 176035 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla19.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 179340 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla18.exe
+ 2012-01-03 20:49 . 2012-01-03 20:49 176545 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla17.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 179340 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\05c29118462056cf810df0b6aa660d05\System.WorkflowServices.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\26b3258c559dc0ab6bdce481ffd458b3\System.Workflow.Runtime.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\1642d1b72cd84caf24cbe7c5e8fd8368\System.Workflow.ComponentModel.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\32ce12c3c2049f2df94c44c94b052e16\System.Workflow.Activities.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:05 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f63ae1310e004777e880f28377bcddd2\System.Web.Services.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\c99b02434e71ca9898bebbc08d63e885\System.Web.Mobile.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c8f78b9e94857fdf6c2a378dd1629ee0\System.Web.Extensions.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ae749b024162e9ac79110c633b5ce6be\System.ServiceModel.Web.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\f35064c125799df650c1a959d8fa450b\System.Data.Services.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a86c12788293105a0d9fda1bc90c90bc\Microsoft.VisualBasic.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 11817472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\2dac4fc006596760cd4988d0bfd52ff0\System.ServiceModel.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
PHONEslips.lnk - s:\pslips\PSWIN32.EXE [2009-6-11 8192]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 118104]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/22/2011 12:03 PM 974944]
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-09 13:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3492)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-09 14:04:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-09 19:04
ComboFix2.txt 2012-01-03 21:09
ComboFix3.txt 2012-01-03 19:11
ComboFix4.txt 2012-01-03 17:46
ComboFix5.txt 2012-01-09 18:43
.
Pre-Run: 63,286,145,024 bytes free
Post-Run: 63,287,791,616 bytes free
.
- - End Of File - - CDB86D9DE31455BC1623582C8090A9BE

Here is ComboFix2.txt log

ComboFix 12-01-09.03 - William Wood 01/09/2012 14:17:22.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.568 [GMT -5:00]
Running from: c:\documents and settings\William Wood\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\William Wood\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-09 to 2012-01-09 )))))))))))))))))))))))))))))))
.
.
2012-01-03 20:28 . 2012-01-03 20:50 -------- d-----w- C:\sh4ldr
2012-01-03 20:28 . 2012-01-03 20:28 -------- d-----w- c:\program files\Enigma Software Group
2012-01-03 20:27 . 2012-01-03 20:49 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-03 20:27 . 2012-01-03 20:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-12-29 23:57 . 2011-12-29 23:57 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-03_17.43.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-09 19:24 . 2012-01-09 19:24 16384 c:\windows\temp\Perflib_Perfdata_784.dat
+ 2012-01-03 21:04 . 2012-01-03 21:04 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 27499 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCall.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\0bda7bdfaf440d5dd4bc6a1dea7ffa39\System.Web.Routing.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\6e29f9faa74a48b83a13a3413b826295\System.Web.Extensions.Design.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\be8965fe859bc53dff61579bf626858b\System.Web.Entity.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\8441b3eb247e0344fede848337ee911c\System.Web.Entity.Design.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\09c6a41f187ba483486cdb92dad714a1\System.Web.DynamicData.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5efb726d424b9712632eff749411fa89\System.Web.Abstractions.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\f374e8e7849a72d1470b4a6a0771a137\System.Data.Entity.Design.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\439732479756e0f6df88d29e50a402bf\ServiceModelReg.ni.exe
+ 2012-01-03 20:27 . 2012-01-03 20:27 180382 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla21.exe
+ 2012-01-03 20:49 . 2012-01-03 20:49 180382 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla21.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 175992 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla20.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 176035 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla2.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 176035 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla19.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 179340 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla18.exe
+ 2012-01-03 20:49 . 2012-01-03 20:49 176545 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla17.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 179340 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\05c29118462056cf810df0b6aa660d05\System.WorkflowServices.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\26b3258c559dc0ab6bdce481ffd458b3\System.Workflow.Runtime.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\1642d1b72cd84caf24cbe7c5e8fd8368\System.Workflow.ComponentModel.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\32ce12c3c2049f2df94c44c94b052e16\System.Workflow.Activities.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:05 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f63ae1310e004777e880f28377bcddd2\System.Web.Services.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\c99b02434e71ca9898bebbc08d63e885\System.Web.Mobile.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c8f78b9e94857fdf6c2a378dd1629ee0\System.Web.Extensions.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ae749b024162e9ac79110c633b5ce6be\System.ServiceModel.Web.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\f35064c125799df650c1a959d8fa450b\System.Data.Services.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a86c12788293105a0d9fda1bc90c90bc\Microsoft.VisualBasic.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 11817472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\2dac4fc006596760cd4988d0bfd52ff0\System.ServiceModel.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-09 14:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2944)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2012-01-09 14:28:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-09 19:28
ComboFix2.txt 2012-01-09 19:04
ComboFix3.txt 2012-01-03 21:09
ComboFix4.txt 2012-01-03 19:11
ComboFix5.txt 2012-01-09 19:16
.
Pre-Run: 63,531,085,824 bytes free
Post-Run: 63,511,851,008 bytes free
.
- - End Of File - - B1BBC9A5B082FD7D88C3672383FE92D9

#15 smithd

smithd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 09 January 2012 - 05:48 PM

I inadvertently added the comboFix2.txt log with the ComboFix1.txt log. I will readd it here to make finding it a little easier

ComboFix 12-01-09.03 - William Wood 01/09/2012 14:17:22.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.568 [GMT -5:00]
Running from: c:\documents and settings\William Wood\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\William Wood\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-09 to 2012-01-09 )))))))))))))))))))))))))))))))
.
.
2012-01-03 20:28 . 2012-01-03 20:50 -------- d-----w- C:\sh4ldr
2012-01-03 20:28 . 2012-01-03 20:28 -------- d-----w- c:\program files\Enigma Software Group
2012-01-03 20:27 . 2012-01-03 20:49 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-03 20:27 . 2012-01-03 20:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-12-29 23:57 . 2011-12-29 23:57 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 17:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-03_17.43.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-09 19:24 . 2012-01-09 19:24 16384 c:\windows\temp\Perflib_Perfdata_784.dat
+ 2012-01-03 21:04 . 2012-01-03 21:04 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 27499 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCall.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\0bda7bdfaf440d5dd4bc6a1dea7ffa39\System.Web.Routing.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\6e29f9faa74a48b83a13a3413b826295\System.Web.Extensions.Design.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\be8965fe859bc53dff61579bf626858b\System.Web.Entity.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\8441b3eb247e0344fede848337ee911c\System.Web.Entity.Design.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\09c6a41f187ba483486cdb92dad714a1\System.Web.DynamicData.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5efb726d424b9712632eff749411fa89\System.Web.Abstractions.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\f374e8e7849a72d1470b4a6a0771a137\System.Data.Entity.Design.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\439732479756e0f6df88d29e50a402bf\ServiceModelReg.ni.exe
+ 2012-01-03 20:27 . 2012-01-03 20:27 180382 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla21.exe
+ 2012-01-03 20:49 . 2012-01-03 20:49 180382 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla21.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 175992 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla20.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 176035 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla2.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 176035 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla19.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 179340 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla18.exe
+ 2012-01-03 20:49 . 2012-01-03 20:49 176545 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla17.dll
+ 2012-01-03 20:49 . 2012-01-03 20:49 179340 c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP\WiseCustomCalla.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\05c29118462056cf810df0b6aa660d05\System.WorkflowServices.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\26b3258c559dc0ab6bdce481ffd458b3\System.Workflow.Runtime.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\1642d1b72cd84caf24cbe7c5e8fd8368\System.Workflow.ComponentModel.ni.dll
+ 2012-01-03 21:05 . 2012-01-03 21:05 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\32ce12c3c2049f2df94c44c94b052e16\System.Workflow.Activities.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:05 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f63ae1310e004777e880f28377bcddd2\System.Web.Services.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\c99b02434e71ca9898bebbc08d63e885\System.Web.Mobile.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c8f78b9e94857fdf6c2a378dd1629ee0\System.Web.Extensions.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ae749b024162e9ac79110c633b5ce6be\System.ServiceModel.Web.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\f35064c125799df650c1a959d8fa450b\System.Data.Services.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a86c12788293105a0d9fda1bc90c90bc\Microsoft.VisualBasic.ni.dll
+ 2012-01-03 21:04 . 2012-01-03 21:04 11817472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll
+ 2012-01-03 21:03 . 2012-01-03 21:03 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\2dac4fc006596760cd4988d0bfd52ff0\System.ServiceModel.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-15 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
.
c:\documents and settings\William Wood\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^William Wood^Start Menu^Programs^Startup^PHONEslips.lnk]
path=c:\documents and settings\William Wood\Start Menu\Programs\Startup\PHONEslips.lnk
backup=c:\windows\pss\PHONEslips.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-10-11 21:02 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 19:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 16:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-10-15 17:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-03 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-26 16:43]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 24.25.5.60 24.25.5.61
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://67.77.12.20/cab/DownloadCenter_8200.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-09 14:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\2143E8]
"imagepath"="\??\c:\windows\TEMP\2143E8.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2944)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2012-01-09 14:28:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-09 19:28
ComboFix2.txt 2012-01-09 19:04
ComboFix3.txt 2012-01-03 21:09
ComboFix4.txt 2012-01-03 19:11
ComboFix5.txt 2012-01-09 19:16
.
Pre-Run: 63,531,085,824 bytes free
Post-Run: 63,511,851,008 bytes free
.
- - End Of File - - B1BBC9A5B082FD7D88C3672383FE92D9

Here is MalwareByes Log

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.09.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
William Wood :: KENPC [administrator]

1/9/2012 2:34:21 PM
mbam-log-2012-01-09 (14-34-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212894
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users