Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed XP Security 2012 and System Check but still getting redirects.


  • This topic is locked This topic is locked
41 replies to this topic

#1 Dylan Kerr

Dylan Kerr

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 08 January 2012 - 03:38 PM

I'm new to the site and hoping you can help (I'm not getting assistance from anyone else). I have two Windows XP login profiles set up (Sara and Dylan). Sara got hit with XP Security 2012 and System Check, and Dylan got hit with System Check. I tried the self-help guide but initially couldn't get RKill to end the process (I tried all the suggested name variants and a few of my own). Also, I couldn't get my laptop to run in safe mode for more than a couple of minutes before it automatically shut down. I found a registration key to temporarily bypass XP Security 2012 which allowed me to run RKill successfully (I did this in normal mode as with all the rest of the steps).

After going through the rest of the self-help guide things seemed to get better. TDSS Killer found nothing. Malwarebytes picked up the virus files (and Symantec End Point Protection picked up a handful more). But I'm still getting redirects and pop ups from Google searches on Internet Explorer. Also, after a complete scan with Symantec End Point Protection, I got a Boot.Tidserv warning for the MBR on Physical Drive 0. I tried TDSS Killer again but it still didn't pick anything up. Symantec said it was able to clean the file when I requested it.

I've followed the preparation steps up to the GMER scan but after running the scan, I got the blue screen of death and a forced reboot. I wasn't able to read the full screen of error message fast enough but after a reboot I received the Windows Error Notification. I've attached a screen shot. I tried the GMER scan a second time with identical results. DDS is showing a possible TDL4 rootkit.

Thanks in advance for your help with this.

Dylan

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Dylan at 14:35:22 on 2012-01-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.777 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Dylan\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Ida\Ida.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SescLU.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Ida] "c:\program files\ida\IdaLaunch.exe" -tray
uRun: [SmileboxTray] "c:\documents and settings\dylan\application data\smilebox\SmileboxTray.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167809783312
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{745EC2D8-4C2E-427A-9441-7645C2AA65A9} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-3-30 108456]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-3-30 108456]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2011-5-11 1846592]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-8 106104]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120107.009\NAVENG.SYS [2012-1-8 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120107.009\NAVEX15.SYS [2012-1-8 1576312]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
.
=============== Created Last 30 ================
.
2012-01-08 03:00:27 -------- d-----w- c:\windows\system32\Adobe
2012-01-08 00:26:42 -------- d-----w- c:\program files\Secunia
2012-01-07 19:43:18 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-07 19:43:14 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-07 19:43:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-24 15:45:55 -------- d-----w- c:\program files\iPod
2011-12-24 15:45:37 -------- d-----w- c:\program files\iTunes
2011-12-18 20:20:54 -------- d-----w- c:\documents and settings\dylan\application data\DDMSettings
.
==================== Find3M ====================
.
2012-01-06 17:21:16 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 18:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-14 22:38:00 456192 ----a-w- c:\windows\system32\encdec.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x892D4FF0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6FAAB8]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A547238]
\Driver\00001687[0x8A54B880] -> IRP_MJ_CREATE -> 0x892D4FF0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 14:36:56.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 PM

Posted 09 January 2012 - 10:47 AM

Hi Dylan!

Welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


Please let me know how the above scans go.

Kindest Regards,
ST

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 Dylan Kerr

Dylan Kerr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 09 January 2012 - 08:15 PM

Thanks Agent ST, I appreciate your help on this. I'm aware of the security implications and I've already changed all my passwords from a clean computer. I'd like to try and clean this one, but I'd be interested in your thoughts as to how much I should trust this laptop once we're done.

Here are the results of the scans you asked me to run. It looks like TDSSKiller picked up the rootkit (but I skipped it as instructed).

19:14:33.0988 5292 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
19:14:34.0284 5292 ============================================================
19:14:34.0284 5292 Current date / time: 2012/01/09 19:14:34.0284
19:14:34.0284 5292 SystemInfo:
19:14:34.0284 5292
19:14:34.0284 5292 OS Version: 5.1.2600 ServicePack: 3.0
19:14:34.0284 5292 Product type: Workstation
19:14:34.0284 5292 ComputerName: DYLANLAPTOP
19:14:34.0284 5292 UserName: Dylan
19:14:34.0284 5292 Windows directory: C:\WINDOWS
19:14:34.0284 5292 System windows directory: C:\WINDOWS
19:14:34.0284 5292 Processor architecture: Intel x86
19:14:34.0284 5292 Number of processors: 2
19:14:34.0284 5292 Page size: 0x1000
19:14:34.0284 5292 Boot type: Normal boot
19:14:34.0284 5292 ============================================================
19:14:35.0238 5292 Initialize success
19:14:47.0066 5740 ============================================================
19:14:47.0066 5740 Scan started
19:14:47.0066 5740 Mode: Manual; SigCheck; TDLFS;
19:14:47.0066 5740 ============================================================
19:14:47.0441 5740 5U870CAP_VID_1262&PID_25FD (d2142fee659d97b2b05820f21594bfe2) C:\WINDOWS\system32\Drivers\5U870CAP.sys
19:14:49.0534 5740 5U870CAP_VID_1262&PID_25FD - ok
19:14:49.0644 5740 Abiosdsk - ok
19:14:49.0722 5740 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
19:14:51.0113 5740 abp480n5 - ok
19:14:51.0238 5740 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:14:51.0581 5740 ACPI - ok
19:14:51.0659 5740 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
19:14:51.0816 5740 ACPIEC - ok
19:14:51.0894 5740 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
19:14:52.0081 5740 adpu160m - ok
19:14:52.0159 5740 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:14:52.0316 5740 aec - ok
19:14:52.0425 5740 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:14:52.0503 5740 AFD - ok
19:14:52.0597 5740 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
19:14:52.0753 5740 agp440 - ok
19:14:52.0831 5740 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
19:14:53.0003 5740 agpCPQ - ok
19:14:53.0097 5740 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
19:14:53.0175 5740 Aha154x - ok
19:14:53.0284 5740 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
19:14:53.0456 5740 aic78u2 - ok
19:14:53.0581 5740 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
19:14:53.0738 5740 aic78xx - ok
19:14:53.0816 5740 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
19:14:53.0988 5740 AliIde - ok
19:14:54.0034 5740 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
19:14:54.0191 5740 alim1541 - ok
19:14:54.0206 5740 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
19:14:54.0363 5740 amdagp - ok
19:14:54.0441 5740 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
19:14:54.0503 5740 AmdK8 - ok
19:14:54.0581 5740 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
19:14:54.0659 5740 amsint - ok
19:14:54.0784 5740 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:14:54.0941 5740 Arp1394 - ok
19:14:54.0988 5740 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
19:14:55.0144 5740 asc - ok
19:14:55.0175 5740 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
19:14:55.0269 5740 asc3350p - ok
19:14:55.0300 5740 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
19:14:55.0456 5740 asc3550 - ok
19:14:55.0503 5740 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:14:55.0644 5740 AsyncMac - ok
19:14:55.0691 5740 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:14:55.0847 5740 atapi - ok
19:14:55.0909 5740 Atdisk - ok
19:14:55.0956 5740 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:14:56.0081 5740 Atmarpc - ok
19:14:56.0191 5740 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:14:56.0316 5740 audstub - ok
19:14:56.0425 5740 BCM43XX (c1813dfc127ab556f31b2dfc5517c4c7) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
19:14:56.0534 5740 BCM43XX - ok
19:14:56.0597 5740 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:14:56.0769 5740 Beep - ok
19:14:56.0894 5740 BTWUSB (4272bab9291d26da5ac913bc79c3ce85) C:\WINDOWS\system32\Drivers\btwusb.sys
19:14:56.0909 5740 BTWUSB ( UnsignedFile.Multi.Generic ) - warning
19:14:56.0909 5740 BTWUSB - detected UnsignedFile.Multi.Generic (1)
19:14:56.0988 5740 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
19:14:57.0159 5740 cbidf - ok
19:14:57.0206 5740 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:14:57.0378 5740 cbidf2k - ok
19:14:57.0441 5740 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
19:14:57.0581 5740 CCDECODE - ok
19:14:57.0644 5740 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
19:14:57.0706 5740 cd20xrnt - ok
19:14:57.0769 5740 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:14:57.0956 5740 Cdaudio - ok
19:14:58.0081 5740 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:14:58.0222 5740 Cdfs - ok
19:14:58.0284 5740 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:14:58.0425 5740 Cdrom - ok
19:14:58.0441 5740 Changer - ok
19:14:58.0519 5740 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:14:58.0675 5740 CmBatt - ok
19:14:58.0706 5740 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
19:14:58.0909 5740 CmdIde - ok
19:14:58.0988 5740 COH_Mon (86a22dff16e8ca67601044efe6825537) C:\WINDOWS\system32\Drivers\COH_Mon.sys
19:14:59.0003 5740 COH_Mon - ok
19:14:59.0066 5740 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:14:59.0222 5740 Compbatt - ok
19:14:59.0284 5740 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
19:14:59.0488 5740 Cpqarray - ok
19:14:59.0644 5740 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
19:14:59.0831 5740 dac2w2k - ok
19:14:59.0878 5740 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
19:15:00.0066 5740 dac960nt - ok
19:15:00.0159 5740 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:15:00.0284 5740 Disk - ok
19:15:00.0347 5740 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:15:00.0550 5740 dmboot - ok
19:15:00.0597 5740 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:15:00.0738 5740 dmio - ok
19:15:00.0753 5740 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:15:00.0941 5740 dmload - ok
19:15:01.0019 5740 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:15:01.0144 5740 DMusic - ok
19:15:01.0238 5740 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
19:15:01.0425 5740 dpti2o - ok
19:15:01.0488 5740 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:15:01.0628 5740 drmkaud - ok
19:15:01.0691 5740 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys
19:15:01.0722 5740 eabusb - ok
19:15:01.0847 5740 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
19:15:01.0988 5740 eeCtrl - ok
19:15:02.0019 5740 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
19:15:02.0034 5740 EraserUtilRebootDrv - ok
19:15:02.0128 5740 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:15:02.0347 5740 Fastfat - ok
19:15:02.0394 5740 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:15:02.0534 5740 Fdc - ok
19:15:02.0597 5740 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:15:02.0738 5740 Fips - ok
19:15:02.0784 5740 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:15:02.0941 5740 Flpydisk - ok
19:15:02.0972 5740 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:15:03.0113 5740 FltMgr - ok
19:15:03.0206 5740 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:15:03.0378 5740 Fs_Rec - ok
19:15:03.0472 5740 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:15:03.0644 5740 Ftdisk - ok
19:15:03.0753 5740 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
19:15:03.0769 5740 GEARAspiWDM - ok
19:15:03.0800 5740 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:15:03.0941 5740 Gpc - ok
19:15:04.0034 5740 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
19:15:04.0097 5740 HBtnKey - ok
19:15:04.0191 5740 HdAudAddService (2a6e9a118da2dd0439551a7eb3a8f65e) C:\WINDOWS\system32\drivers\CHDAud.sys
19:15:04.0347 5740 HdAudAddService - ok
19:15:04.0441 5740 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:15:04.0597 5740 HDAudBus - ok
19:15:04.0659 5740 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:15:04.0816 5740 HidUsb - ok
19:15:04.0878 5740 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
19:15:05.0050 5740 hpn - ok
19:15:05.0113 5740 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
19:15:05.0206 5740 HpqKbFiltr - ok
19:15:05.0269 5740 HSFHWAZL (8e60293c44e3f6f7f09defb60023a37d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
19:15:05.0331 5740 HSFHWAZL - ok
19:15:05.0409 5740 HSF_DPV (4c2aab15ad6229134f70e5c950e6185c) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
19:15:05.0503 5740 HSF_DPV - ok
19:15:05.0644 5740 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:15:05.0738 5740 HTTP - ok
19:15:05.0816 5740 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
19:15:06.0034 5740 i2omgmt - ok
19:15:06.0113 5740 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
19:15:06.0238 5740 i2omp - ok
19:15:06.0269 5740 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:15:06.0409 5740 i8042prt - ok
19:15:06.0519 5740 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
19:15:06.0644 5740 iaStor ( UnsignedFile.Multi.Generic ) - warning
19:15:06.0644 5740 iaStor - detected UnsignedFile.Multi.Generic (1)
19:15:06.0738 5740 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:15:06.0878 5740 Imapi - ok
19:15:06.0972 5740 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
19:15:07.0144 5740 ini910u - ok
19:15:07.0222 5740 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
19:15:07.0363 5740 IntelIde - ok
19:15:07.0425 5740 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:15:07.0550 5740 Ip6Fw - ok
19:15:07.0597 5740 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:15:07.0769 5740 IpFilterDriver - ok
19:15:07.0831 5740 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:15:07.0956 5740 IpInIp - ok
19:15:08.0050 5740 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:15:08.0191 5740 IpNat - ok
19:15:08.0284 5740 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:15:08.0425 5740 IPSec - ok
19:15:08.0472 5740 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:15:08.0613 5740 IRENUM - ok
19:15:08.0644 5740 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:15:08.0784 5740 isapnp - ok
19:15:08.0863 5740 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:15:09.0003 5740 Kbdclass - ok
19:15:09.0034 5740 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:15:09.0144 5740 kbdhid - ok
19:15:09.0175 5740 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:15:09.0316 5740 kmixer - ok
19:15:09.0394 5740 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:15:09.0488 5740 KSecDD - ok
19:15:09.0566 5740 lbrtfdc - ok
19:15:09.0659 5740 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:15:09.0675 5740 mdmxsdk - ok
19:15:09.0722 5740 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
19:15:09.0738 5740 MHNDRV ( UnsignedFile.Multi.Generic ) - warning
19:15:09.0738 5740 MHNDRV - detected UnsignedFile.Multi.Generic (1)
19:15:09.0784 5740 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:15:09.0956 5740 mnmdd - ok
19:15:10.0019 5740 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:15:10.0159 5740 Modem - ok
19:15:10.0191 5740 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:15:10.0347 5740 Mouclass - ok
19:15:10.0409 5740 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:15:10.0581 5740 mouhid - ok
19:15:10.0659 5740 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:15:10.0816 5740 MountMgr - ok
19:15:10.0894 5740 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
19:15:11.0034 5740 MQAC - ok
19:15:11.0097 5740 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
19:15:11.0253 5740 mraid35x - ok
19:15:11.0316 5740 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:15:11.0456 5740 MRxDAV - ok
19:15:11.0519 5740 MRxSmb (223a6c7b8803e46f621e8945aaf8f013) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:15:11.0534 5740 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: 223a6c7b8803e46f621e8945aaf8f013, Fake md5: 7d304a5eb4344ebeeab53a2fe3ffb9f0
19:15:11.0534 5740 MRxSmb ( Rootkit.Win32.ZAccess.aml ) - infected
19:15:11.0534 5740 MRxSmb - detected Rootkit.Win32.ZAccess.aml (0)
19:15:11.0550 5740 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:15:11.0706 5740 Msfs - ok
19:15:11.0769 5740 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:15:11.0909 5740 MSKSSRV - ok
19:15:11.0972 5740 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:15:12.0113 5740 MSPCLOCK - ok
19:15:12.0191 5740 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:15:12.0331 5740 MSPQM - ok
19:15:12.0425 5740 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:15:12.0581 5740 mssmbios - ok
19:15:12.0659 5740 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
19:15:12.0800 5740 MSTEE - ok
19:15:12.0909 5740 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:15:12.0941 5740 Mup - ok
19:15:13.0034 5740 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
19:15:13.0159 5740 NABTSFEC - ok
19:15:13.0347 5740 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120107.009\NAVENG.SYS
19:15:13.0347 5740 NAVENG - ok
19:15:13.0425 5740 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120107.009\NAVEX15.SYS
19:15:13.0488 5740 NAVEX15 - ok
19:15:13.0613 5740 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:15:13.0769 5740 NDIS - ok
19:15:13.0816 5740 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
19:15:13.0972 5740 NdisIP - ok
19:15:14.0034 5740 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:15:14.0081 5740 NdisTapi - ok
19:15:14.0113 5740 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:15:14.0253 5740 Ndisuio - ok
19:15:14.0269 5740 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:15:14.0409 5740 NdisWan - ok
19:15:14.0472 5740 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:15:14.0503 5740 NDProxy - ok
19:15:14.0613 5740 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:15:14.0769 5740 NetBIOS - ok
19:15:14.0847 5740 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:15:15.0003 5740 NetBT - ok
19:15:15.0081 5740 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:15:15.0222 5740 NIC1394 - ok
19:15:15.0269 5740 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:15:15.0425 5740 Npfs - ok
19:15:15.0597 5740 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:15:15.0800 5740 Ntfs - ok
19:15:15.0894 5740 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
19:15:15.0894 5740 NuidFltr - ok
19:15:15.0972 5740 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:15:16.0159 5740 Null - ok
19:15:16.0394 5740 nv (bbb8ab2ffd7a79cd9d7751008e3de579) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:15:16.0706 5740 nv - ok
19:15:16.0800 5740 nvata (3ac5eedd35b7437d53960f3998bfa462) C:\WINDOWS\system32\DRIVERS\nvata.sys
19:15:16.0863 5740 nvata - ok
19:15:16.0941 5740 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
19:15:17.0003 5740 NVENETFD - ok
19:15:17.0113 5740 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
19:15:17.0175 5740 nvnetbus - ok
19:15:17.0253 5740 nvsmu (e0f76fab86fec98778047d0c7c39cbb9) C:\WINDOWS\system32\DRIVERS\nvsmu.sys
19:15:17.0316 5740 nvsmu - ok
19:15:17.0425 5740 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:15:17.0691 5740 NwlnkFlt - ok
19:15:17.0769 5740 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:15:17.0925 5740 NwlnkFwd - ok
19:15:18.0019 5740 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:15:18.0159 5740 ohci1394 - ok
19:15:18.0253 5740 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
19:15:18.0409 5740 Parport - ok
19:15:18.0472 5740 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:15:18.0628 5740 PartMgr - ok
19:15:18.0706 5740 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:15:18.0894 5740 ParVdm - ok
19:15:19.0019 5740 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:15:19.0159 5740 PCI - ok
19:15:19.0206 5740 PCIDump - ok
19:15:19.0253 5740 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:15:19.0394 5740 PCIIde - ok
19:15:19.0425 5740 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
19:15:19.0550 5740 Pcmcia - ok
19:15:19.0597 5740 PDCOMP - ok
19:15:19.0628 5740 PDFRAME - ok
19:15:19.0659 5740 PDRELI - ok
19:15:19.0691 5740 PDRFRAME - ok
19:15:19.0800 5740 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
19:15:19.0956 5740 perc2 - ok
19:15:20.0019 5740 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
19:15:20.0191 5740 perc2hib - ok
19:15:20.0300 5740 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:15:20.0425 5740 PptpMiniport - ok
19:15:20.0550 5740 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:15:20.0691 5740 PSched - ok
19:15:20.0769 5740 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
19:15:20.0769 5740 PSI - ok
19:15:20.0831 5740 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:15:21.0003 5740 Ptilink - ok
19:15:21.0050 5740 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:15:21.0066 5740 PxHelp20 - ok
19:15:21.0097 5740 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
19:15:21.0253 5740 ql1080 - ok
19:15:21.0284 5740 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
19:15:21.0441 5740 Ql10wnt - ok
19:15:21.0488 5740 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
19:15:21.0644 5740 ql12160 - ok
19:15:21.0675 5740 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
19:15:21.0831 5740 ql1240 - ok
19:15:21.0878 5740 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
19:15:22.0019 5740 ql1280 - ok
19:15:22.0253 5740 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:15:22.0425 5740 RasAcd - ok
19:15:23.0503 5740 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:15:23.0800 5740 Rasl2tp - ok
19:15:23.0863 5740 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:15:24.0003 5740 RasPppoe - ok
19:15:24.0081 5740 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:15:24.0253 5740 Raspti - ok
19:15:24.0300 5740 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:15:24.0425 5740 Rdbss - ok
19:15:24.0488 5740 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:15:24.0659 5740 RDPCDD - ok
19:15:24.0722 5740 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:15:24.0847 5740 rdpdr - ok
19:15:24.0988 5740 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
19:15:25.0019 5740 RDPWD - ok
19:15:25.0066 5740 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:15:25.0206 5740 redbook - ok
19:15:25.0253 5740 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
19:15:25.0284 5740 rimmptsk - ok
19:15:25.0300 5740 rimsptsk (8f7012d1b6a71ee9c23ce93dcdbf9f4b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
19:15:25.0347 5740 rimsptsk - ok
19:15:25.0394 5740 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
19:15:25.0441 5740 rismxdp - ok
19:15:25.0566 5740 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
19:15:25.0597 5740 RMCAST - ok
19:15:25.0691 5740 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:15:25.0753 5740 rtl8139 - ok
19:15:25.0894 5740 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
19:15:26.0113 5740 sdbus - ok
19:15:26.0222 5740 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:15:26.0363 5740 Secdrv - ok
19:15:26.0456 5740 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
19:15:26.0581 5740 Serial - ok
19:15:26.0706 5740 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
19:15:26.0847 5740 sffdisk - ok
19:15:26.0941 5740 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
19:15:27.0066 5740 sffp_sd - ok
19:15:27.0128 5740 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:15:27.0269 5740 Sfloppy - ok
19:15:27.0284 5740 Simbad - ok
19:15:27.0316 5740 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
19:15:27.0441 5740 sisagp - ok
19:15:27.0472 5740 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
19:15:27.0597 5740 SLIP - ok
19:15:27.0659 5740 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
19:15:27.0722 5740 Sparrow - ok
19:15:27.0847 5740 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
19:15:27.0878 5740 SPBBCDrv - ok
19:15:27.0988 5740 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:15:28.0144 5740 splitter - ok
19:15:28.0222 5740 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:15:28.0378 5740 sr - ok
19:15:28.0441 5740 SRTSP (14389e87d0d2e25b12bf2cc74cfaee07) C:\WINDOWS\system32\Drivers\SRTSP.SYS
19:15:28.0456 5740 SRTSP - ok
19:15:28.0613 5740 SRTSPL (aed0f68c185fe698a21cefcd76f0b8a4) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
19:15:28.0644 5740 SRTSPL - ok
19:15:28.0691 5740 SRTSPX (0e2ca6326726477fe29863808bbad413) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
19:15:28.0706 5740 SRTSPX - ok
19:15:28.0800 5740 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:15:28.0863 5740 Srv - ok
19:15:28.0956 5740 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
19:15:29.0175 5740 streamip - ok
19:15:29.0238 5740 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:15:29.0378 5740 swenum - ok
19:15:29.0456 5740 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:15:29.0597 5740 swmidi - ok
19:15:29.0706 5740 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
19:15:29.0894 5740 symc810 - ok
19:15:30.0003 5740 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
19:15:30.0238 5740 symc8xx - ok
19:15:30.0331 5740 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
19:15:30.0347 5740 SymEvent - ok
19:15:30.0597 5740 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
19:15:30.0613 5740 SYMREDRV - ok
19:15:30.0738 5740 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
19:15:30.0753 5740 SYMTDI - ok
19:15:30.0925 5740 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
19:15:31.0269 5740 sym_hi - ok
19:15:31.0378 5740 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
19:15:31.0566 5740 sym_u3 - ok
19:15:31.0628 5740 SynTP (369d0626687a968182a9db40fe8a0905) C:\WINDOWS\system32\DRIVERS\SynTP.sys
19:15:31.0753 5740 SynTP - ok
19:15:31.0831 5740 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:15:31.0972 5740 sysaudio - ok
19:15:32.0253 5740 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:15:32.0363 5740 Tcpip - ok
19:15:32.0472 5740 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:15:32.0597 5740 TDPIPE - ok
19:15:32.0769 5740 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:15:32.0925 5740 TDTCP - ok
19:15:32.0956 5740 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:15:33.0097 5740 TermDD - ok
19:15:33.0206 5740 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
19:15:33.0378 5740 TosIde - ok
19:15:33.0472 5740 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:15:33.0628 5740 Udfs - ok
19:15:33.0675 5740 UIUSys - ok
19:15:33.0738 5740 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
19:15:33.0816 5740 ultra - ok
19:15:33.0878 5740 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:15:34.0034 5740 Update - ok
19:15:34.0144 5740 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
19:15:34.0206 5740 USBAAPL - ok
19:15:34.0300 5740 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:15:34.0441 5740 usbccgp - ok
19:15:34.0550 5740 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:15:34.0691 5740 usbehci - ok
19:15:34.0769 5740 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:15:34.0925 5740 usbhub - ok
19:15:34.0956 5740 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
19:15:35.0097 5740 usbohci - ok
19:15:35.0175 5740 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:15:35.0300 5740 usbprint - ok
19:15:35.0363 5740 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:15:35.0488 5740 usbscan - ok
19:15:35.0597 5740 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:15:35.0738 5740 USBSTOR - ok
19:15:35.0831 5740 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:15:35.0956 5740 usbuhci - ok
19:15:35.0988 5740 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:15:36.0113 5740 VgaSave - ok
19:15:36.0253 5740 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
19:15:36.0394 5740 viaagp - ok
19:15:36.0503 5740 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
19:15:36.0659 5740 ViaIde - ok
19:15:36.0706 5740 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:15:36.0847 5740 VolSnap - ok
19:15:36.0909 5740 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:15:37.0034 5740 Wanarp - ok
19:15:37.0159 5740 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
19:15:37.0175 5740 Wdf01000 - ok
19:15:37.0238 5740 WDICA - ok
19:15:37.0284 5740 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:15:37.0425 5740 wdmaud - ok
19:15:37.0566 5740 winachsf (e17d31cd52dcb7745ac5330eea062d0b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
19:15:37.0675 5740 winachsf - ok
19:15:37.0784 5740 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
19:15:37.0925 5740 WmiAcpi - ok
19:15:37.0988 5740 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
19:15:38.0113 5740 WSTCODEC - ok
19:15:38.0253 5740 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:15:38.0300 5740 WudfPf - ok
19:15:38.0394 5740 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:15:38.0456 5740 WudfRd - ok
19:15:38.0503 5740 MBR (0x1B8) (665277635dc8ba83deae12eadedb75a0) \Device\Harddisk0\DR0
19:15:38.0644 5740 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
19:15:38.0644 5740 \Device\Harddisk0\DR0 - detected TDSS File System (1)
19:15:38.0644 5740 Boot (0x1200) (f00a0205a162e7fda7551688e8023736) \Device\Harddisk0\DR0\Partition0
19:15:38.0644 5740 \Device\Harddisk0\DR0\Partition0 - ok
19:15:38.0675 5740 Boot (0x1200) (f18c045a0c9f8c65b42ae3543ca8d66b) \Device\Harddisk0\DR0\Partition1
19:15:38.0675 5740 \Device\Harddisk0\DR0\Partition1 - ok
19:15:38.0675 5740 ============================================================
19:15:38.0675 5740 Scan finished
19:15:38.0675 5740 ============================================================
19:15:38.0816 5732 Detected object count: 5
19:15:38.0816 5732 Actual detected object count: 5
19:16:05.0159 5732 BTWUSB ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:05.0159 5732 BTWUSB ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:05.0159 5732 iaStor ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:05.0159 5732 iaStor ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:05.0159 5732 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:05.0159 5732 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:05.0175 5732 MRxSmb ( Rootkit.Win32.ZAccess.aml ) - skipped by user
19:16:05.0175 5732 MRxSmb ( Rootkit.Win32.ZAccess.aml ) - User select action: Skip
19:16:05.0175 5732 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
19:16:05.0175 5732 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
19:16:17.0238 4580 Deinitialize success

OTL logfile created on: 09/01/2012 7:23:19 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dylan\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1.94 Gb Total Physical Memory | 0.71 Gb Available Physical Memory | 36.90% Memory free
3.78 Gb Paging File | 2.76 Gb Available in Paging File | 72.98% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 99.69 Gb Total Space | 51.30 Gb Free Space | 51.46% Space Free | Partition Type: NTFS
Drive D: | 11.06 Gb Total Space | 1.09 Gb Free Space | 9.86% Space Free | Partition Type: FAT32

Computer Name: DYLANLAPTOP | User Name: Dylan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/09 19:20:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dylan\Desktop\OTL.exe
PRC - [2011/12/01 12:43:04 | 000,313,160 | ---- | M] (Smilebox, Inc.) -- C:\Documents and Settings\Dylan\Application Data\Smilebox\SmileboxTray.exe
PRC - [2011/10/14 01:01:48 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2011/10/14 01:01:46 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2011/09/01 14:43:34 | 000,168,168 | ---- | M] (Queen's University - ITServices) -- C:\Program Files\Ida\Ida.exe
PRC - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2011/05/11 08:14:32 | 001,846,592 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
PRC - [2011/04/27 22:11:42 | 001,897,960 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Smc.exe
PRC - [2011/04/27 22:09:02 | 001,471,904 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\SmcGui.exe
PRC - [2011/03/30 19:14:10 | 000,115,624 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2011/03/30 19:13:48 | 000,108,456 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/12/23 23:44:26 | 000,491,606 | ---- | M] () -- C:\Program Files\HPQ\Shared\HpqToaster.exe
PRC - [2005/09/24 10:42:32 | 000,475,136 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/06 10:29:33 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll
MOD - [2012/01/06 10:28:52 | 001,712,128 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a86c12788293105a0d9fda1bc90c90bc\Microsoft.VisualBasic.ni.dll
MOD - [2012/01/06 10:07:34 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_dfc14946\mscorlib.dll
MOD - [2012/01/06 10:07:32 | 000,835,584 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_3b0e2576\system.drawing.dll
MOD - [2012/01/06 10:07:23 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_2bf71463\system.xml.dll
MOD - [2012/01/06 10:07:16 | 003,035,136 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_212e87a2\system.windows.forms.dll
MOD - [2012/01/06 10:06:55 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_f6c65a8c\system.dll
MOD - [2012/01/06 10:06:19 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2012/01/06 10:06:16 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2012/01/06 09:56:12 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2011/10/13 11:22:34 | 000,998,400 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\90b90e700e59d73d6d692cf74e1ba16e\System.Management.ni.dll
MOD - [2011/10/13 11:19:26 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\bce0720436dc6cb76006377f295ea365\System.Configuration.ni.dll
MOD - [2011/10/13 10:57:02 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll
MOD - [2011/10/13 10:56:34 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\71a2ae9ad561a62181cbd9fb11e9de7a\System.Windows.Forms.ni.dll
MOD - [2011/10/13 10:55:46 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll
MOD - [2011/10/13 10:50:29 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
MOD - [2011/10/13 10:49:28 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/07/28 18:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/02/04 17:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2010/02/05 13:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/04/13 19:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 19:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/07/11 21:55:04 | 000,172,032 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\common\CLDataSync.dll
MOD - [2006/06/29 13:47:56 | 000,774,144 | ---- | M] () -- c:\windows\assembly\gac\hpqbakup\3.0.0.0__a53cf5803f4c3827\hpqbakup.dll
MOD - [2006/06/29 13:47:56 | 000,069,632 | ---- | M] () -- c:\windows\assembly\gac\hpqisrtb\4.0.0.0__a53cf5803f4c3827\hpqisrtb.dll
MOD - [2006/06/29 13:47:48 | 001,044,480 | ---- | M] () -- c:\windows\assembly\gac\hpqedit\3.0.0.0__a53cf5803f4c3827\hpqedit.dll
MOD - [2006/06/29 13:47:44 | 000,163,840 | ---- | M] () -- c:\windows\assembly\gac\hpqvideo\3.0.0.0__a53cf5803f4c3827\hpqvideo.dll
MOD - [2006/06/29 13:47:44 | 000,065,536 | ---- | M] () -- c:\windows\assembly\gac\hpqmdmr\4.0.0.0__a53cf5803f4c3827\hpqmdmr.dll
MOD - [2006/06/29 13:47:44 | 000,057,344 | ---- | M] () -- c:\windows\assembly\gac\hpqprrsc\4.0.0.0__a53cf5803f4c3827\hpqprrsc.dll
MOD - [2006/06/29 13:47:44 | 000,053,248 | ---- | M] () -- c:\windows\assembly\gac\hpqovskn\3.0.0.0__a53cf5803f4c3827\hpqovskn.dll
MOD - [2006/06/29 13:47:40 | 000,512,000 | ---- | M] () -- c:\windows\assembly\gac\hpqimvlt\3.0.0.0__a53cf5803f4c3827\hpqimvlt.dll
MOD - [2006/06/29 13:47:40 | 000,430,080 | ---- | M] () -- c:\windows\assembly\gac\lead.wrapper\13.0.0.113__9cf889f53ea9b907\lead.wrapper.dll
MOD - [2006/06/29 13:47:40 | 000,192,512 | ---- | M] () -- c:\windows\assembly\gac\hpqimgrc\4.0.0.0__a53cf5803f4c3827\hpqimgrc.dll
MOD - [2006/06/29 13:47:40 | 000,090,112 | ---- | M] () -- c:\windows\assembly\gac\lead.drawing.imaging.imageprocessing\13.0.0.113__9cf889f53ea9b907\lead.drawing.imaging.imageprocessing.dll
MOD - [2006/06/29 13:47:40 | 000,086,016 | ---- | M] () -- c:\windows\assembly\gac\lead.drawing\13.0.0.113__9cf889f53ea9b907\lead.drawing.dll
MOD - [2006/06/29 13:47:40 | 000,081,920 | ---- | M] () -- c:\windows\assembly\gac\lead.drawing.imaging.codecs\13.0.0.113__9cf889f53ea9b907\lead.drawing.imaging.codecs.dll
MOD - [2006/06/29 13:47:40 | 000,077,824 | ---- | M] () -- c:\windows\assembly\gac\lead\13.0.0.113__9cf889f53ea9b907\lead.dll
MOD - [2006/06/29 13:47:40 | 000,069,632 | ---- | M] () -- c:\windows\assembly\gac\lead.windows.forms.drawingcontainer\13.0.0.113__9cf889f53ea9b907\lead.windows.forms.drawingcontainer.dll
MOD - [2006/06/29 13:47:40 | 000,069,632 | ---- | M] () -- c:\windows\assembly\gac\hpqntrop\4.0.0.0__a53cf5803f4c3827\hpqntrop.dll
MOD - [2006/06/29 13:47:40 | 000,040,960 | ---- | M] () -- c:\windows\assembly\gac\lead.windows.forms\13.0.0.113__9cf889f53ea9b907\lead.windows.forms.dll
MOD - [2006/06/29 13:47:40 | 000,036,864 | ---- | M] () -- c:\windows\assembly\gac\interop.hpqcxm08\3.0.0.0__a53cf5803f4c3827\interop.hpqcxm08.dll
MOD - [2006/06/29 13:47:40 | 000,014,848 | ---- | M] () -- c:\windows\assembly\gac\interop.hpqvideo\4.0.0.0__a53cf5803f4c3827\interop.hpqvideo.dll
MOD - [2006/06/29 13:47:40 | 000,010,240 | ---- | M] () -- c:\windows\assembly\gac\interop.hpqimgr\4.0.0.0__a53cf5803f4c3827\interop.hpqimgr.dll
MOD - [2006/06/29 13:47:40 | 000,004,096 | ---- | M] () -- c:\windows\assembly\gac\interop.hprblog\3.0.0.0__a53cf5803f4c3827\interop.hprblog.dll
MOD - [2006/06/29 13:47:38 | 000,589,824 | ---- | M] () -- c:\windows\assembly\gac\hpqcc2\3.0.0.0__a53cf5803f4c3827\hpqcc2.dll
MOD - [2006/06/29 13:47:38 | 000,385,024 | ---- | M] () -- c:\windows\assembly\gac\hpqcprsc\3.0.0.0__a53cf5803f4c3827\hpqcprsc.dll
MOD - [2006/06/29 13:47:38 | 000,368,640 | ---- | M] () -- c:\windows\assembly\gac\hpqtray\4.0.0.0__a53cf5803f4c3827\hpqtray.dll
MOD - [2006/06/29 13:47:38 | 000,225,280 | ---- | M] () -- c:\windows\assembly\gac\hpqutils\4.0.0.0__a53cf5803f4c3827\hpqutils.dll
MOD - [2006/06/29 13:47:38 | 000,073,728 | ---- | M] () -- c:\windows\assembly\gac\hpqthumb\3.0.0.0__a53cf5803f4c3827\hpqthumb.dll
MOD - [2006/06/29 13:47:38 | 000,069,632 | ---- | M] () -- c:\windows\assembly\gac\hpqglutl\4.0.0.0__a53cf5803f4c3827\hpqglutl.dll
MOD - [2006/06/29 13:47:38 | 000,057,344 | ---- | M] () -- c:\windows\assembly\gac\hpqimlib\3.0.0.0__a53cf5803f4c3827\hpqimlib.dll
MOD - [2006/06/29 13:47:38 | 000,036,864 | ---- | M] () -- c:\windows\assembly\gac\hpqfmrsc\4.0.0.0__a53cf5803f4c3827\hpqfmrsc.dll
MOD - [2006/06/29 13:47:38 | 000,024,576 | ---- | M] () -- c:\windows\assembly\gac\hpqasset\4.0.0.0__a53cf5803f4c3827\hpqasset.dll
MOD - [2006/06/29 13:47:38 | 000,020,480 | ---- | M] () -- c:\windows\assembly\gac\hpqiface\4.0.0.0__a53cf5803f4c3827\hpqiface.dll
MOD - [2006/06/29 13:22:38 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2006/06/29 13:22:36 | 000,466,944 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2006/06/29 13:20:32 | 000,007,680 | ---- | M] () -- c:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll
MOD - [2005/12/23 23:44:26 | 000,491,606 | ---- | M] () -- C:\Program Files\HPQ\Shared\HpqToaster.exe


========== Win32 Services (SafeList) ==========

SRV - [2011/10/14 01:01:50 | 000,994,360 | ---- | M] (Secunia) [Auto | Stopped] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011/10/14 01:01:48 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2011/05/11 08:14:32 | 001,846,592 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2011/04/27 22:11:42 | 001,897,960 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2011/04/21 15:07:30 | 000,357,808 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2011/03/30 19:13:48 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2011/03/30 19:13:48 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2011/02/07 17:40:08 | 003,093,944 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2006/06/12 15:27:28 | 000,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr)


========== Driver Services (SafeList) ==========

DRV - [2011/12/14 11:35:34 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120109.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/12/14 11:35:34 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120109.002\NAVENG.SYS -- (NAVENG)
DRV - [2011/11/08 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/11/08 04:00:00 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/09/08 15:23:26 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/08 16:44:32 | 000,321,016 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2011/03/08 16:44:32 | 000,287,352 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2011/03/08 16:44:32 | 000,043,768 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2009/12/18 14:42:12 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/09/03 15:03:48 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/09/03 15:03:48 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2008/11/18 17:17:08 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2008/05/08 09:02:52 | 000,203,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rmcast.sys -- (RMCAST)
DRV - [2008/04/13 13:39:44 | 000,092,544 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC)
DRV - [2007/09/28 10:00:52 | 000,822,272 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/06/18 16:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2006/08/29 14:12:28 | 000,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/29 14:11:08 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/08/29 14:10:56 | 000,728,576 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/06/28 09:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2006/06/19 07:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/06 15:39:56 | 000,061,952 | ---- | M] (Ricoh) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\5U870CAP.sys -- (5U870CAP_VID_1262&PID_25FD)
DRV - [2006/06/01 19:02:36 | 000,572,928 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/05/12 15:05:02 | 000,057,320 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/03/05 18:49:36 | 000,011,136 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2006/03/02 19:31:04 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/02 19:31:02 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/01/26 19:04:16 | 000,099,584 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/11/15 23:28:32 | 000,028,928 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/10/31 21:08:00 | 000,308,992 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/10/31 20:54:50 | 000,051,584 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/09/19 16:24:20 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2004/08/04 01:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/12/18 15:18:38 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.121\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U22 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.51204.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Documents and Settings\Dylan\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0\

Hosts file not found
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O3 - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005..\Run: [Ida] C:\Program Files\Ida\IdaLaunch.exe (Queen's University - ITServices)
O4 - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005..\Run: [SmileboxTray] C:\Documents and Settings\Dylan\Application Data\Smilebox\SmileboxTray.exe (Smilebox, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/FacebookPhotoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167809783312 (MUWebControl Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab (GMNRev Class)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.com/webgames/popcaploader_v10.cab (PopCapLoader Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab? (Photo Upload Plugin Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{745EC2D8-4C2E-427A-9441-7645C2AA65A9}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\WINDOWS\Fractal Blue.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Fractal Blue.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 22:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 14:01:14 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/09 19:21:08 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dylan\Desktop\OTL.exe
[2012/01/09 19:12:53 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dylan\Desktop\tdsskiller.exe
[2012/01/08 14:43:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dylan\Desktop\gmer
[2012/01/08 14:35:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Dylan\Start Menu\Programs\Administrative Tools
[2012/01/08 14:34:05 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Dylan\Desktop\dds.scr
[2012/01/08 09:47:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ACD Systems
[2012/01/07 22:00:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2012/01/07 19:26:42 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2012/01/07 14:43:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/07 14:43:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/01/07 14:43:14 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/01/07 14:43:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/07 13:10:44 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Dylan\Recent
[2012/01/07 13:03:27 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/01/07 11:00:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/01/07 11:00:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/01/06 10:04:39 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/12/24 10:47:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/12/24 10:45:55 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/12/24 10:45:37 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/12/18 15:20:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dylan\Application Data\DDMSettings
[4 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[173 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/09 19:47:54 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/09 19:20:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dylan\Desktop\OTL.exe
[2012/01/09 19:13:06 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dylan\Desktop\tdsskiller.exe
[2012/01/09 19:07:53 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/09 19:07:48 | 000,001,116 | ---- | M] () -- C:\hpqp.ini
[2012/01/09 19:06:24 | 000,051,048 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/01/09 19:06:22 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini
[2012/01/09 19:05:36 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/09 19:05:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/09 19:04:57 | 2078,912,512 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/08 20:58:03 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/08 15:06:12 | 000,070,323 | ---- | M] () -- C:\Documents and Settings\Dylan\Desktop\Error Report.JPG
[2012/01/08 14:40:36 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Dylan\Desktop\gmer.zip
[2012/01/08 14:34:10 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Dylan\Desktop\dds.scr
[2012/01/08 14:33:10 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Dylan\defogger_reenable
[2012/01/08 14:32:18 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Dylan\Desktop\Defogger.exe
[2012/01/08 13:59:45 | 000,217,600 | ---- | M] () -- C:\Documents and Settings\Dylan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/07 19:26:48 | 000,000,753 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/01/07 14:44:56 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/07 14:35:21 | 000,000,440 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1tlPPGvQYRhtne
[2012/01/07 14:32:11 | 000,013,240 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\72suu04twa0013kyrok73pnaar3ju26llf3a82t1e26otd
[2012/01/07 14:28:20 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~1tlPPGvQYRhtne
[2012/01/07 14:28:20 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~1tlPPGvQYRhtner
[2012/01/07 12:13:55 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LPk4BCcWTFTckJ
[2012/01/07 12:12:47 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~LPk4BCcWTFTckJ
[2012/01/07 12:12:47 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~LPk4BCcWTFTckJr
[2012/01/07 10:11:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/01/06 12:21:16 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/01/06 10:02:04 | 000,455,802 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/06 10:02:04 | 000,075,750 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/24 10:47:18 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/12/18 15:18:53 | 000,001,757 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk
[2011/12/18 15:18:52 | 000,001,485 | ---- | M] () -- C:\Documents and Settings\Dylan\Desktop\DivX Movies.lnk
[2011/12/18 15:17:50 | 000,000,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2011/12/16 08:28:34 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/12/16 03:32:42 | 000,271,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/16 03:14:12 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[173 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/08 15:06:12 | 000,070,323 | ---- | C] () -- C:\Documents and Settings\Dylan\Desktop\Error Report.JPG
[2012/01/08 14:40:33 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Dylan\Desktop\gmer.zip
[2012/01/08 14:33:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Dylan\defogger_reenable
[2012/01/08 14:32:18 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Dylan\Desktop\Defogger.exe
[2012/01/08 09:47:35 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/01/08 09:47:35 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2012/01/08 09:47:35 | 000,001,893 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\Smilebox.lnk
[2012/01/08 09:47:35 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\SitNGo Wizard.lnk
[2012/01/08 09:47:35 | 000,001,827 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Live Messenger .lnk
[2012/01/08 09:47:35 | 000,001,757 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk
[2012/01/08 09:47:35 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/01/08 09:47:35 | 000,001,668 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\PartyPoker.lnk
[2012/01/08 09:47:35 | 000,001,576 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickPlay.lnk
[2012/01/08 09:47:35 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/01/08 09:47:35 | 000,001,478 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\Media Center.lnk
[2012/01/08 09:47:35 | 000,001,460 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Media Center.lnk
[2012/01/08 09:47:35 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/08 09:47:35 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/01/08 09:47:35 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/01/08 09:47:35 | 000,000,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2012/01/08 09:47:35 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\PokerStars.LNK
[2012/01/08 09:47:35 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PokerStars.LNK
[2012/01/08 09:47:35 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/01/08 09:47:35 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/01/08 09:47:34 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
[2012/01/08 09:47:28 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/01/08 09:47:28 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/01/08 09:47:28 | 000,001,656 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Install Clean Up.lnk
[2012/01/08 09:47:28 | 000,001,582 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickPlay.lnk
[2012/01/08 09:47:28 | 000,001,466 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Media Center.lnk
[2012/01/08 09:47:28 | 000,001,407 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\HP Pavilion Webcam Demo.lnk
[2012/01/08 09:47:28 | 000,001,011 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Media Connect.lnk
[2012/01/08 09:47:28 | 000,001,004 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Money 2006.lnk
[2012/01/08 09:47:28 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat.com.lnk
[2012/01/08 09:47:28 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/01/08 09:47:28 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/01/07 19:26:48 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/01/07 19:26:48 | 000,000,716 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Secunia PSI.lnk
[2012/01/07 14:44:56 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/07 14:28:20 | 000,000,200 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~1tlPPGvQYRhtner
[2012/01/07 14:28:19 | 000,000,296 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~1tlPPGvQYRhtne
[2012/01/07 14:28:18 | 000,000,440 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1tlPPGvQYRhtne
[2012/01/07 13:38:57 | 2078,912,512 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/07 12:12:47 | 000,000,296 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~LPk4BCcWTFTckJ
[2012/01/07 12:12:47 | 000,000,200 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~LPk4BCcWTFTckJr
[2012/01/07 12:12:28 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LPk4BCcWTFTckJ
[2012/01/07 10:48:00 | 000,013,240 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\72suu04twa0013kyrok73pnaar3ju26llf3a82t1e26otd
[2011/04/02 13:29:21 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/05/08 16:40:01 | 000,056,780 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/01/30 22:55:16 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/08/07 20:03:27 | 000,004,198 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2008/02/04 17:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/07/27 15:01:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QTW.ini
[2007/06/06 22:01:55 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/03/31 14:05:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2007/03/31 13:46:17 | 000,000,038 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2007/03/31 10:21:58 | 000,009,174 | ---- | C] () -- C:\Documents and Settings\Dylan\Application Data\wklnhst.dat
[2007/03/09 13:22:11 | 000,003,999 | ---- | C] () -- C:\WINDOWS\hpdj5700.ini
[2007/02/21 15:17:01 | 000,000,031 | ---- | C] () -- C:\WINDOWS\kodakpcd.ini
[2007/01/26 11:02:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2007/01/05 22:13:06 | 000,217,600 | ---- | C] () -- C:\Documents and Settings\Dylan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/12/29 07:22:57 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Dylan\Local Settings\Application Data\fusioncache.dat
[2006/11/17 11:34:40 | 000,099,712 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2006/09/19 18:36:53 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/09/19 18:36:53 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/09/19 18:24:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/09/19 18:14:28 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/08/18 03:00:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/08/18 03:00:00 | 001,617,920 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/08/18 03:00:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/08/18 03:00:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/08/18 03:00:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/08/18 03:00:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/08/18 03:00:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/08/18 03:00:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/08/18 03:00:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/06/29 14:18:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/06/29 14:18:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/29 13:49:18 | 000,087,268 | ---- | C] () -- C:\WINDOWS\hpqins69.dat
[2006/06/29 13:46:56 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/06/29 13:43:40 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/06/29 13:27:08 | 000,455,802 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/06/29 13:27:08 | 000,075,750 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/06/29 13:18:06 | 000,271,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/06/29 13:13:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/06/29 13:08:28 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/03/15 23:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/03/15 23:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/03/15 23:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/03/15 23:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/03/15 23:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/03/15 23:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/03/15 23:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/03/15 23:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/03/04 02:07:34 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/12/02 13:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/31 10:43:32 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\resourceGeneric.dll
[2005/05/05 21:06:32 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2004/09/16 15:24:26 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/01/08 12:38:12 | 000,024,576 | ---- | C] () -- C:\WINDOWS\shortcut.exe
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/07/26 14:09:58 | 000,143,360 | ---- | C] () -- C:\WINDOWS\unzip.exe
[2002/07/22 16:57:58 | 000,045,056 | ---- | C] () -- C:\WINDOWS\devenum.exe
[2002/05/28 16:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/05/28 16:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[1999/01/22 13:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

< End of report >

OTL Extras logfile created on: 09/01/2012 7:23:20 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dylan\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1.94 Gb Total Physical Memory | 0.71 Gb Available Physical Memory | 36.90% Memory free
3.78 Gb Paging File | 2.76 Gb Available in Paging File | 72.98% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 99.69 Gb Total Space | 51.30 Gb Free Space | 51.46% Space Free | Partition Type: NTFS
Drive D: | 11.06 Gb Total Space | 1.09 Gb Free Space | 9.86% Space Free | Partition Type: FAT32

Computer Name: DYLANLAPTOP | User Name: Dylan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"10243:TCP" = 10243:TCP:LocalSubNet:Disabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Disabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Disabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Disabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Disabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Disabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec Client Security\Symantec AntiVirus\Smc.exe" = C:\Program Files\Symantec Client Security\Symantec AntiVirus\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec Client Security\Symantec AntiVirus\SNAC.EXE" = C:\Program Files\Symantec Client Security\Symantec AntiVirus\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Documents and Settings\Sara\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Sara\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\uTorrent\utorrent.exe" = C:\Program Files\uTorrent\utorrent.exe:*:Disabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{09D8492A-C8E2-421E-927D-46800FB327A3}" = Wireless Home Network Setup
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{121634B0-2F4A-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1CB34CE9-0E6B-493F-BB66-3425E5DF76E5}" = CP_CalendarTemplates1
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}" = CP_Package_Variety2
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations
"{2A548002-9042-4083-A270-B67473DE1073}" = SkinsHP1
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 B1
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{3FE0CFAB-584A-4AA5-B8CD-C32284CFA308}" = RandMap
"{4041C245-7099-4C96-9738-5EBC23827B3C}" = BufferChm
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 H1
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 2.3
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{494D17B5-3369-4905-8C4B-80C972C5E0FF}" = CP_Panorama1Config
"{4DA4012B-39AF-48c2-B23B-A4D570D233A6}" = cp_LightScribeConfig
"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}" = CP_Package_Variety1
"{52FBAE98-D389-4281-8C14-21B4046CCB4E}" = SonicAC3Encoder
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{54F0998F-73C8-4b51-8286-FE903C231BED}" = cp_PosterPrintConfig
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5E2E4797-502A-4FFD-81EC-F9BA8BF0C581}" = Symantec Endpoint Protection
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8
"{6F340107-F9AA-47C6-B54C-C3A19F11553F}" = Hewlett-Packard ACLM.NET v1.1.0.0
"{710BF966-43C8-4216-A8EC-BC4E169FF7C1}" = MobileMe Control Panel
"{766633B3-1AFA-44B6-A3FC-1DE991CD9C52}" = CP_Package_Basic1
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{79F8E1D4-36C1-439C-95FA-F695050B5B07}" = Sonic_PrimoSDK
"{7B63B2922B174135AFC0E1377DD81EC2}" =
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{80AE27BA-B0ED-4288-A8B9-D8194BCF4115}" = cp_UpdateProjectsConfig
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{838A1BC9-95CA-4880-9BE3-2A7D23600A2B}" = Macromedia Shockwave Player
"{869C3062-4745-4949-B6C9-98AF24D89030}" = PhotoGallery
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{939F8208-C8CE-4AFF-B7BA-ACEB2E74A6CB}" =
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D4ABB0C-F60B-44A6-956C-A4A63D5495C9}" = CueTour
"{9F7AF7CD-E3D0-4C68-A3BA-C76C359B3AA8}" = LightScribe 1.4.105.1
"{A01FC76F-CC09-4658-9E37-5C2F635EE708}" = TourSetup
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A29549FD-65F3-440C-A552-6B8114CF319D}" = Skype Toolbars
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A436F67F-687E-4736-BD2B-537121A804CF}" = HP Product Detection
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AEE9ABDF-CFFD-4CC2-8519-E8ECEB5A2AAF}" = PENTAX USB DISK Device
"{B11E71BA-498C-42D4-9F1A-9D7A89D9DA61}" = CP_AtenaShokunin1Config
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B16AF568-A644-483C-A6DA-5028CD019C8C}" = SonicMPEGEncoder
"{B36649A3-D0DD-4706-B042-F5B384529C7A}" = Scrabble Complete
"{B57F2FF0-5A25-4332-B503-4592B370C02F}" = CP_Package_Variety3
"{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
"{BBD3BF67-5B89-4CBB-BA58-5818ED5F3290}" = cp_OnlineProjectsConfig
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0DDC931-CD9C-4527-872A-5FA96F6EF77F}" = The Hulk™ Demo
"{CA8B0FB9-69D0-4B50-8342-7CF0C96F10E6}" = Black's Digital Solution Studio
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEF5E226-E4F3-44C9-8F35-C675B75A827A}" = Ida
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E276E05A-FFE8-485B-A005-42E76EA72AC4}" = HP User Guides 0032
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{EC397D90-720E-426D-B381-0A10C6FD5A49}" = HP Pavilion Webcam Demo
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FB09F05F-85C6-4205-B28D-5BF071D276C3}" = muvee autoProducer 5.0
"{FC8D25A7-FF1B-41BB-BB3B-9A06C0A60AE0}" = InstantShareDevices
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_PCI_VEN_14F1&DEV_5045_at8ven5m" = Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2011-11-11
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup" = DivX Setup
"Fish Tycoon" = Fish Tycoon 1.0
"HP Game Console" = HP Game Console and games
"HP Imaging Device Functions" = HP Imaging Device Functions 6.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2006b" = Microsoft Money 2006
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PartyPoker" = PartyPoker
"PokerStars" = PokerStars
"Secunia PSI" = Secunia PSI (2.0.0.4003)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"uTorrent" = µTorrent
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2183553110-4156872711-1521865910-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Smilebox" = Smilebox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 08/01/2012 2:56:25 AM | Computer Name = DYLANLAPTOP | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Bloodhound.MalPE in File: C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0161411.exe
by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 08/01/2012 6:57:14 AM | Computer Name = DYLANLAPTOP | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Tracking Cookies in File: Cookie:sara@apmebf.com/
by: Manual scan. Action: Quarantine failed : Leave Alone failed. Action Description:
The file was deleted successfully.

Error - 08/01/2012 9:11:24 AM | Computer Name = DYLANLAPTOP | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Boot.Tidserv in File: Master Boot Record for Physical
drive number 0 by: Manual scan. Action: Clean succeeded. Action Description:
The file was repaired successfully.

Error - 08/01/2012 9:24:28 AM | Computer Name = DYLANLAPTOP | Source = MSMQ | ID = 2059
Description = The RPC service cannot be used with the TCP/IP protocol. Consequently,
the Message Queuing service cannot communicate with other computers.

Error - 08/01/2012 9:46:18 AM | Computer Name = DYLANLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/01/2012 1:23:55 PM | Computer Name = DYLANLAPTOP | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Boot.Tidserv in File: Master Boot Record for Physical
drive number 0 by: Manual scan. Action: Clean succeeded. Action Description:
The file was repaired successfully.

Error - 08/01/2012 3:49:44 PM | Computer Name = DYLANLAPTOP | Source = MSMQ | ID = 2059
Description = The RPC service cannot be used with the TCP/IP protocol. Consequently,
the Message Queuing service cannot communicate with other computers.

Error - 08/01/2012 3:59:10 PM | Computer Name = DYLANLAPTOP | Source = MSMQ | ID = 2059
Description = The RPC service cannot be used with the TCP/IP protocol. Consequently,
the Message Queuing service cannot communicate with other computers.

Error - 08/01/2012 9:05:26 PM | Computer Name = DYLANLAPTOP | Source = MSMQ | ID = 2059
Description = The RPC service cannot be used with the TCP/IP protocol. Consequently,
the Message Queuing service cannot communicate with other computers.

Error - 09/01/2012 8:07:19 PM | Computer Name = DYLANLAPTOP | Source = MSMQ | ID = 2059
Description = The RPC service cannot be used with the TCP/IP protocol. Consequently,
the Message Queuing service cannot communicate with other computers.

[ SitNGoWizard Events ]
Error - 16/10/2010 6:36:59 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = at System.Windows.Forms.Control.MarshaledInvoke(Control caller,
Delegate method, Object[] args, Boolean synchronous) at System.Windows.Forms.Control.Invoke(Delegate
method, Object[] args) at System.Windows.Forms.Control.Invoke(Delegate method)

at SitNGoWizard.MainForm.onPokerSiteTimerTick(Object sender, EventArgs e) at
System.Windows.Forms.Timer.OnTick(EventArgs e) at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message&
m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr
wparam, IntPtr lparam)

Error - 16/10/2010 6:37:09 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = Invoke or BeginInvoke cannot be called on a control until the window
handle has been created.

Error - 16/10/2010 6:37:09 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = at System.Windows.Forms.Control.MarshaledInvoke(Control caller,
Delegate method, Object[] args, Boolean synchronous) at System.Windows.Forms.Control.Invoke(Delegate
method, Object[] args) at System.Windows.Forms.Control.Invoke(Delegate method)

at SitNGoWizard.MainForm.onPokerSiteTimerTick(Object sender, EventArgs e) at
System.Windows.Forms.Timer.OnTick(EventArgs e) at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message&
m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr
wparam, IntPtr lparam)

Error - 16/10/2010 6:37:19 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = Invoke or BeginInvoke cannot be called on a control until the window
handle has been created.

Error - 16/10/2010 6:37:19 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = at System.Windows.Forms.Control.MarshaledInvoke(Control caller,
Delegate method, Object[] args, Boolean synchronous) at System.Windows.Forms.Control.Invoke(Delegate
method, Object[] args) at System.Windows.Forms.Control.Invoke(Delegate method)

at SitNGoWizard.MainForm.onPokerSiteTimerTick(Object sender, EventArgs e) at
System.Windows.Forms.Timer.OnTick(EventArgs e) at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message&
m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr
wparam, IntPtr lparam)

Error - 16/10/2010 6:37:29 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = Invoke or BeginInvoke cannot be called on a control until the window
handle has been created.

Error - 16/10/2010 6:37:29 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = at System.Windows.Forms.Control.MarshaledInvoke(Control caller,
Delegate method, Object[] args, Boolean synchronous) at System.Windows.Forms.Control.Invoke(Delegate
method, Object[] args) at System.Windows.Forms.Control.Invoke(Delegate method)

at SitNGoWizard.MainForm.onPokerSiteTimerTick(Object sender, EventArgs e) at
System.Windows.Forms.Timer.OnTick(EventArgs e) at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message&
m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr
wparam, IntPtr lparam)

Error - 16/10/2010 6:37:39 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = Invoke or BeginInvoke cannot be called on a control until the window
handle has been created.

Error - 16/10/2010 6:37:39 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = at System.Windows.Forms.Control.MarshaledInvoke(Control caller,
Delegate method, Object[] args, Boolean synchronous) at System.Windows.Forms.Control.Invoke(Delegate
method, Object[] args) at System.Windows.Forms.Control.Invoke(Delegate method)

at SitNGoWizard.MainForm.onPokerSiteTimerTick(Object sender, EventArgs e) at
System.Windows.Forms.Timer.OnTick(EventArgs e) at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message&
m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr
wparam, IntPtr lparam)

Error - 16/10/2010 6:37:49 PM | Computer Name = DYLANLAPTOP | Source = SitNGoWizard | ID = 1
Description = Invoke or BeginInvoke cannot be called on a control until the window
handle has been created.

[ System Events ]
Error - 09/01/2012 8:07:56 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 09/01/2012 8:08:07 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 09/01/2012 8:08:24 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 09/01/2012 8:12:43 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 09/01/2012 8:15:23 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 09/01/2012 8:15:39 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 09/01/2012 8:16:57 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 09/01/2012 8:19:59 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 09/01/2012 8:27:49 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 09/01/2012 8:46:39 PM | Computer Name = DYLANLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127


< End of report >

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 PM

Posted 10 January 2012 - 09:11 AM

Hello!

Thanks Agent ST, I appreciate your help on this. I'm aware of the security implications and I've already changed all my passwords from a clean computer. I'd like to try and clean this one, but I'd be interested in your thoughts as to how much I should trust this laptop once we're done.

I tend to tell the users I work with the same thing when they ask me this. That answer is, when we are done working together your computer should be better off than before we started working together.

Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
    Posted Image
    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 Dylan Kerr

Dylan Kerr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 10 January 2012 - 08:11 PM

ComboFix ran successfully. It downloaded Windows Recovery Console, found ZeroAccess and executed a couple of reboots. I re-enabled Symantec Endpoint Protection once it was finished, and spent a couple of minutes performing Google searches. So far everything seems to be running well and no redirects or pop-ups.

Here is the ComboFix log.

ComboFix 12-01-10.02 - Dylan 10/01/2012 19:25:55.1.2 - x86
Running from: c:\documents and settings\Dylan\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~1tlPPGvQYRhtne
c:\documents and settings\All Users\Application Data\~1tlPPGvQYRhtner
c:\documents and settings\All Users\Application Data\~LPk4BCcWTFTckJ
c:\documents and settings\All Users\Application Data\~LPk4BCcWTFTckJr
c:\documents and settings\All Users\Application Data\1tlPPGvQYRhtne
c:\documents and settings\All Users\Application Data\LPk4BCcWTFTckJ
c:\documents and settings\Dylan\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\program files\Internet Explorer\SET281.tmp
c:\program files\Internet Explorer\SET282.tmp
c:\program files\Internet Explorer\SET284.tmp
c:\program files\Internet Explorer\SET2E8.tmp
c:\program files\Internet Explorer\SET2E9.tmp
c:\program files\Internet Explorer\SET2EA.tmp
c:\windows\$NtUninstallKB62280$\1320211368
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\keywords
c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
c:\windows\$NtUninstallKB62280$\485945278\L\trbssmgb
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\kb913800.exe
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\SET101.tmp
c:\windows\system32\SET102.tmp
c:\windows\system32\SET103.tmp
c:\windows\system32\SET10C.tmp
c:\windows\system32\SET10D.tmp
c:\windows\system32\SET10E.tmp
c:\windows\system32\SET11B.tmp
c:\windows\system32\SET120.tmp
c:\windows\system32\SET125.tmp
c:\windows\system32\SET127.tmp
c:\windows\system32\SET137.tmp
c:\windows\system32\SET138.tmp
c:\windows\system32\SET139.tmp
c:\windows\system32\SET13A.tmp
c:\windows\system32\SET13B.tmp
c:\windows\system32\SET13D.tmp
c:\windows\system32\SET13F.tmp
c:\windows\system32\SET140.tmp
c:\windows\system32\SET142.tmp
c:\windows\system32\SET143.tmp
c:\windows\system32\SET15B.tmp
c:\windows\system32\SET15C.tmp
c:\windows\system32\SET15E.tmp
c:\windows\system32\SET15F.tmp
c:\windows\system32\SET161.tmp
c:\windows\system32\SET163.tmp
c:\windows\system32\SET164.tmp
c:\windows\system32\SET165.tmp
c:\windows\system32\SET166.tmp
c:\windows\system32\SET167.tmp
c:\windows\system32\SET16D.tmp
c:\windows\system32\SET16F.tmp
c:\windows\system32\SET171.tmp
c:\windows\system32\SET173.tmp
c:\windows\system32\SET175.tmp
c:\windows\system32\SET176.tmp
c:\windows\system32\SET177.tmp
c:\windows\system32\SET17D.tmp
c:\windows\system32\SET17E.tmp
c:\windows\system32\SET17F.tmp
c:\windows\system32\SET1A3.tmp
c:\windows\system32\SET1A5.tmp
c:\windows\system32\SET1B7.tmp
c:\windows\system32\SET1B8.tmp
c:\windows\system32\SET1BD.tmp
c:\windows\system32\SET1BE.tmp
c:\windows\system32\SET1C0.tmp
c:\windows\system32\SET1C4.tmp
c:\windows\system32\SET1CB.tmp
c:\windows\system32\SET1CC.tmp
c:\windows\system32\SET1D3.tmp
c:\windows\system32\SET1D4.tmp
c:\windows\system32\SET1FA.tmp
c:\windows\system32\SET1FC.tmp
c:\windows\system32\SET201.tmp
c:\windows\system32\SET204.tmp
c:\windows\system32\SET207.tmp
c:\windows\system32\SET20C.tmp
c:\windows\system32\SET215.tmp
c:\windows\system32\SET21C.tmp
c:\windows\system32\SET220.tmp
c:\windows\system32\SET227.tmp
c:\windows\system32\SET231.tmp
c:\windows\system32\SET233.tmp
c:\windows\system32\SET28E.tmp
c:\windows\system32\SET28F.tmp
c:\windows\system32\SET291.tmp
c:\windows\system32\SET292.tmp
c:\windows\system32\SET293.tmp
c:\windows\system32\SET294.tmp
c:\windows\system32\SET295.tmp
c:\windows\system32\SET296.tmp
c:\windows\system32\SET298.tmp
c:\windows\system32\SET29A.tmp
c:\windows\system32\SET29B.tmp
c:\windows\system32\SET29C.tmp
c:\windows\system32\SET29F.tmp
c:\windows\system32\SET2A0.tmp
c:\windows\system32\SET2A3.tmp
c:\windows\system32\SET2A4.tmp
c:\windows\system32\SET2A6.tmp
c:\windows\system32\SET2A9.tmp
c:\windows\system32\SET2AA.tmp
c:\windows\system32\SET2AB.tmp
c:\windows\system32\SET2AC.tmp
c:\windows\system32\SET2AD.tmp
c:\windows\system32\SET2AE.tmp
c:\windows\system32\SET2B2.tmp
c:\windows\system32\SET2B3.tmp
c:\windows\system32\SET2B4.tmp
c:\windows\system32\SET2B5.tmp
c:\windows\system32\SET2B6.tmp
c:\windows\system32\SET2B7.tmp
c:\windows\system32\SET2B8.tmp
c:\windows\system32\SET2B9.tmp
c:\windows\system32\SET2BA.tmp
c:\windows\system32\SET2BB.tmp
c:\windows\system32\SET2BC.tmp
c:\windows\system32\SET2BD.tmp
c:\windows\system32\SET2BE.tmp
c:\windows\system32\SET2C0.tmp
c:\windows\system32\SET2C1.tmp
c:\windows\system32\SET2C2.tmp
c:\windows\system32\SET2C3.tmp
c:\windows\system32\SET2C5.tmp
c:\windows\system32\SET2F1.tmp
c:\windows\system32\SET2F2.tmp
c:\windows\system32\SET2F3.tmp
c:\windows\system32\SET2F4.tmp
c:\windows\system32\SET2F5.tmp
c:\windows\system32\SET2F6.tmp
c:\windows\system32\SET2F7.tmp
c:\windows\system32\SET2F8.tmp
c:\windows\system32\SET2F9.tmp
c:\windows\system32\SET2FA.tmp
c:\windows\system32\SET2FB.tmp
c:\windows\system32\SET2FC.tmp
c:\windows\system32\SET2FD.tmp
c:\windows\system32\SET2FE.tmp
c:\windows\system32\SET2FF.tmp
c:\windows\system32\SET300.tmp
c:\windows\system32\SET301.tmp
c:\windows\system32\SET303.tmp
c:\windows\system32\SET304.tmp
c:\windows\system32\SET305.tmp
c:\windows\system32\SET306.tmp
c:\windows\system32\SET307.tmp
c:\windows\system32\SET308.tmp
c:\windows\system32\SET309.tmp
c:\windows\system32\SET30A.tmp
c:\windows\system32\SET30B.tmp
c:\windows\system32\SET30C.tmp
c:\windows\system32\SET30D.tmp
c:\windows\system32\SET30E.tmp
c:\windows\system32\SET30F.tmp
c:\windows\system32\SET310.tmp
c:\windows\system32\SET311.tmp
c:\windows\system32\SET312.tmp
c:\windows\system32\SET313.tmp
c:\windows\system32\SET314.tmp
c:\windows\system32\SET315.tmp
c:\windows\system32\SET316.tmp
c:\windows\system32\SET317.tmp
c:\windows\system32\SET318.tmp
c:\windows\system32\SET319.tmp
c:\windows\system32\SET31A.tmp
c:\windows\system32\SET31F.tmp
c:\windows\system32\SET320.tmp
c:\windows\system32\SET321.tmp
c:\windows\system32\SET322.tmp
c:\windows\system32\SET326.tmp
c:\windows\system32\SET327.tmp
c:\windows\system32\SET32A.tmp
c:\windows\system32\SET32B.tmp
c:\windows\system32\SET32C.tmp
c:\windows\system32\SET32F.tmp
c:\windows\system32\SET331.tmp
c:\windows\system32\SET347.tmp
c:\windows\system32\SET34A.tmp
c:\windows\system32\SET34B.tmp
c:\windows\system32\SET34D.tmp
c:\windows\system32\SET350.tmp
c:\windows\system32\SET351.tmp
c:\windows\system32\SET355.tmp
c:\windows\system32\SET356.tmp
c:\windows\system32\SET357.tmp
c:\windows\system32\SET358.tmp
c:\windows\system32\SET359.tmp
c:\windows\system32\SET386.tmp
c:\windows\system32\SET389.tmp
D:\Autorun.inf
c:\windows\$NtUninstallKB62280$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-12-11 to 2012-01-11 )))))))))))))))))))))))))))))))
.
.
2012-01-08 03:00 . 2012-01-08 03:27 -------- d-----w- c:\windows\system32\Adobe
2012-01-08 00:26 . 2012-01-08 00:26 -------- d-----w- c:\program files\Secunia
2012-01-07 19:43 . 2012-01-07 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-07 19:43 . 2012-01-07 19:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 19:43 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-07 18:22 . 2012-01-07 18:22 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-07 18:22 . 2012-01-07 18:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-24 15:45 . 2011-12-24 15:45 -------- d-----w- c:\program files\iPod
2011-12-24 15:45 . 2011-12-24 15:47 -------- d-----w- c:\program files\iTunes
2011-12-18 20:20 . 2011-12-18 20:20 -------- d-----w- c:\documents and settings\Dylan\Application Data\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 17:21 . 2011-05-15 14:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2007-01-03 10:10 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2006-03-16 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-03-16 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-03-16 04:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2006-03-16 04:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-03-16 04:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2006-03-16 04:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2006-03-16 04:00 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-14 22:38 . 2006-03-04 07:08 456192 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]
"Ida"="c:\program files\Ida\IdaLaunch.exe" [2011-09-01 27368]
"SmileboxTray"="c:\documents and settings\Dylan\Application Data\Smilebox\SmileboxTray.exe" [2011-12-01 313160]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-08-12 380928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"nwiz"="nwiz.exe" [2006-08-18 1617920]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-09 184320]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-03-31 115624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec Client Security\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec Client Security\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Sara\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [14/10/2011 1:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [14/10/2011 1:01 AM 399416]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [06/06/2006 3:39 PM 61952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [08/11/2011 4:00 AM 106104]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 3:30 AM 15544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 1:46 PM 135664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [18/11/2008 5:17 PM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 1:46 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 18:45]
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 18:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-10 19:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???(d??????g?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2504)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec Client Security\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\SmcGui.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Ida\Ida.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2012-01-10 20:03:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-11 01:03
.
Pre-Run: 54,851,080,192 bytes free
Post-Run: 57,944,657,920 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 384A2AEC9F376E3C3BF8C1EB68686C02

#6 Dylan Kerr

Dylan Kerr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 10 January 2012 - 08:19 PM

PS: After posting the last reply, I went to shut down the laptop and Windows wants to install what looks like Microsoft updates. I'm not sure whether to run them or not at this point so I'm going to select shut down without updating. Please let me know if it is safe to run the updates at this point.

#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 PM

Posted 11 January 2012 - 03:41 AM

Hello!

I'm glad to hear that things are running better! We are definitely making some progress here, but I believe you still have a file that's been patched by malware.

Lets run a few scans to provide me with additional information on that.

Please hold up on letting those updates install. I want to be sure that we get this patched file first.

Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:



OTL Custom Scan

We need to create a new OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click on the NONE button at the top.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    mrxsmb.sys
    mhndrv.sys
    iaStor.sys
    volsnap.sys
    btwusb.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    /md5stop
  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
  • OTL.txt <-- Will be opened

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 Dylan Kerr

Dylan Kerr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 11 January 2012 - 07:16 PM

Alright, when I booted up my laptop, Windows installed the updates in the background and then prompted me to reboot. I haven't yet. I ran the two scans but as soon as I shut down the laptop, the updates are going to take effect. Please let me know if we'll need to run any of the scans again once the updates take effect.

Farbar Service Scanner
Ran by Dylan (administrator) on 11-01-2012 at 18:57:08
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(8) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

OTL logfile created on: 11/01/2012 6:57:52 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dylan\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1.94 Gb Total Physical Memory | 1.18 Gb Available Physical Memory | 60.74% Memory free
3.78 Gb Paging File | 3.16 Gb Available in Paging File | 83.57% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 99.69 Gb Total Space | 53.94 Gb Free Space | 54.10% Space Free | Partition Type: NTFS
Drive D: | 11.06 Gb Total Space | 1.09 Gb Free Space | 9.86% Space Free | Partition Type: FAT32

Computer Name: DYLANLAPTOP | User Name: Dylan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: ccEvtMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: ccSetMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: Symantec Antivirus - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1BC46932-21B2-4130-86E0-B4EB4F7A7A7B} - Microsoft .NET Framework 1.0 Hotfix (KB887998)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {29E7D24F-BF30-45E7-8A40-AD27AFD8F5C6} - Microsoft .NET Framework 1.0 Hotfix (KB979904)
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {407408d4-94ed-4d86-ab69-a7f649d112ee} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4F00D11B-8327-4C55-B7DA-B8D8C10F28A8} - Microsoft .NET Framework 1.0 Hotfix (KB2572066)
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {BDE0FA43-6952-4BA8-8C58-09AF690F88E1} - Microsoft .NET Framework 1.0 Hotfix (KB930494)
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E8EA5BD6-D931-4001-ABF6-81BAA500360A} - Microsoft .NET Framework 1.0 Hotfix (KB953295)
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EA29D410-CE41-4953-A862-2DE706A1DAD7} - Microsoft .NET Framework 1.0 Service Pack 3
ActiveX: {FDC11A6F-17D1-48f9-9EA3-9051954BAA24} - .NET Framework
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: KB910393 - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2006/03/15 15:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2006/03/15 23:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/07/14 12:18:23 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/07/14 12:18:23 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 08:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: BTWUSB.SYS >
[2006/05/12 15:05:02 | 000,057,320 | ---- | M] (Broadcom Corporation.) MD5=4272BAB9291D26DA5AC913BC79C3CE85 -- C:\SWSetup\BTOOTH\btwusb.sys
[2006/05/12 15:05:02 | 000,057,320 | ---- | M] (Broadcom Corporation.) MD5=4272BAB9291D26DA5AC913BC79C3CE85 -- C:\WINDOWS\system32\drivers\btwusb.sys

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\Sara\Local Settings\Temp\RarSFX0\procs\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2006/03/15 23:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Sara\Local Settings\Temp\RarSFX0\h\explorer.exe

< MD5 for: IASTOR.SYS >
[2005/10/13 04:07:12 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\SWSetup\HDD\iastor.sys
[2005/10/13 04:07:12 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: MHNDRV.SYS >
[2004/08/10 13:45:04 | 000,011,008 | ---- | M] (Microsoft Corporation) MD5=7F2F1D2815A6449D346FCCCBC569FBD6 -- C:\WINDOWS\system32\drivers\mhndrv.sys

< MD5 for: MRXSMB.SYS >
[2006/03/15 15:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\I386\sp2.cab:mrxsmb.sys
[2006/03/15 23:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:mrxsmb.sys
[2008/07/14 12:18:23 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:mrxsmb.sys
[2008/07/14 12:18:23 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:mrxsmb.sys
[2006/05/05 04:41:45 | 000,453,120 | ---- | M] (Microsoft Corporation) MD5=025AF03CE51645C62F3B6907A7E2BE5E -- C:\WINDOWS\$NtServicePackUninstall$\mrxsmb.sys
[2011/04/29 11:19:43 | 000,456,320 | ---- | M] (Microsoft Corporation) MD5=0DC719E9B15E902346E87E9DCD5751FA -- C:\WINDOWS\$NtUninstallKB2536276-v2$\mrxsmb.sys
[2011/02/17 08:18:24 | 000,455,936 | ---- | M] (Microsoft Corporation) MD5=0EA4D8ED179B75F8AFA7998BA22285CA -- C:\WINDOWS\$NtUninstallKB2536276$\mrxsmb.sys
[2006/03/15 23:00:00 | 000,451,456 | ---- | M] (Microsoft Corporation) MD5=1FD607FC67F7F7C633C3DA65BFC53D18 -- C:\WINDOWS\$NtUninstallKB885250$\mrxsmb.sys
[2009/12/04 13:22:22 | 000,455,424 | ---- | M] (Microsoft Corporation) MD5=421F7B922CEC5A5F340E7574A98F7B7C -- C:\WINDOWS\$NtUninstallKB980232$\mrxsmb.sys
[2005/01/19 07:26:52 | 000,451,584 | ---- | M] (Microsoft Corporation) MD5=5DDC9A1B2EB5A4BF010CE8C019A18C1F -- C:\WINDOWS\$NtUninstallKB914389$\mrxsmb.sys
[2009/12/04 12:25:56 | 000,456,832 | ---- | M] (Microsoft Corporation) MD5=602549D1E8A622E5746991F6C56B21CA -- C:\WINDOWS\$hf_mig$\KB978251\SP3QFE\mrxsmb.sys
[2008/10/24 06:21:09 | 000,455,296 | ---- | M] (Microsoft Corporation) MD5=60AE98742484E7AB80C3C1450E708148 -- C:\WINDOWS\$NtUninstallKB978251$\mrxsmb.sys
[2008/04/13 14:17:01 | 000,456,576 | ---- | M] (Microsoft Corporation) MD5=68755F0FF16070178B54674FE5B847B0 -- C:\WINDOWS\$NtUninstallKB957097$\mrxsmb.sys
[2008/04/13 14:17:01 | 000,456,576 | ---- | M] (Microsoft Corporation) MD5=68755F0FF16070178B54674FE5B847B0 -- C:\WINDOWS\ServicePackFiles\i386\mrxsmb.sys
[2008/10/24 06:41:11 | 000,455,936 | ---- | M] (Microsoft Corporation) MD5=7170AB42B51954DEF2781A4D1CCE65F4 -- C:\WINDOWS\$hf_mig$\KB957097\SP3QFE\mrxsmb.sys
[2006/05/05 05:16:39 | 000,454,400 | ---- | M] (Microsoft Corporation) MD5=7412CE77C6FD823F8889B4DF420C680B -- C:\WINDOWS\$hf_mig$\KB914389\SP2QFE\mrxsmb.sys
[2005/01/19 06:51:58 | 000,451,584 | ---- | M] (Microsoft Corporation) MD5=7B195060FF456FA65954C72C5C1640FF -- C:\WINDOWS\$hf_mig$\KB885250\SP2QFE\mrxsmb.sys
[2011/07/15 08:29:31 | 000,456,320 | ---- | M] (Microsoft Corporation) MD5=7D304A5EB4344EBEEAB53A2FE3FFB9F0 -- C:\WINDOWS\Driver Cache\i386\mrxsmb.sys
[2011/07/15 08:29:31 | 000,456,320 | ---- | M] (Microsoft Corporation) MD5=7D304A5EB4344EBEEAB53A2FE3FFB9F0 -- C:\WINDOWS\SoftwareDistribution\Download\cae2e05a002a9ae98c735c66fa6a46be\SP3GDR\mrxsmb.sys
[2011/07/15 08:29:31 | 000,456,320 | ---- | M] (Microsoft Corporation) MD5=7D304A5EB4344EBEEAB53A2FE3FFB9F0 -- C:\WINDOWS\system32\dllcache\mrxsmb.sys
[2011/07/15 08:29:31 | 000,456,320 | ---- | M] (Microsoft Corporation) MD5=7D304A5EB4344EBEEAB53A2FE3FFB9F0 -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2011/04/29 11:47:42 | 000,457,856 | ---- | M] (Microsoft Corporation) MD5=8DD801E28EB76FDA2A38907882A0036F -- C:\WINDOWS\$hf_mig$\KB2536276\SP3QFE\mrxsmb.sys
[2004/10/27 20:15:16 | 000,448,128 | ---- | M] (Microsoft Corporation) MD5=A1BE3CB080DCC0A8270D21E3CA3B7005 -- C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\mrxsmb.sys
[2010/02/24 06:57:57 | 000,457,216 | ---- | M] (Microsoft Corporation) MD5=D09B9F0B9960DD41E73127B7814C115F -- C:\WINDOWS\$hf_mig$\KB980232\SP3QFE\mrxsmb.sys
[2010/02/24 08:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) MD5=F3AEFB11ABC521122B67095044169E98 -- C:\WINDOWS\$NtUninstallKB2511455$\mrxsmb.sys
[2011/07/15 08:29:35 | 000,457,856 | ---- | M] (Microsoft Corporation) MD5=FB2FCCC70F7174C7BF64F48E96D3ADF4 -- C:\WINDOWS\$hf_mig$\KB2536276-v2\SP3QFE\mrxsmb.sys
[2011/07/15 08:29:35 | 000,457,856 | ---- | M] (Microsoft Corporation) MD5=FB2FCCC70F7174C7BF64F48E96D3ADF4 -- C:\WINDOWS\SoftwareDistribution\Download\cae2e05a002a9ae98c735c66fa6a46be\SP3QFE\mrxsmb.sys
[2011/02/17 08:19:38 | 000,457,472 | ---- | M] (Microsoft Corporation) MD5=FB7DFD15D760AD339837A470F0E780D3 -- C:\WINDOWS\$hf_mig$\KB2511455\SP3QFE\mrxsmb.sys

< MD5 for: VOLSNAP.SYS >
[2008/04/13 13:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 13:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2006/03/15 23:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2006/03/15 23:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Sara\Local Settings\Temp\RarSFX0\winlogon.exe
[2011/12/24 17:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< >

< End of report >

#9 Dylan Kerr

Dylan Kerr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 11 January 2012 - 07:26 PM

Sorry, when I went to shut down it gave me the option to shut down without installing updates; a little confusing because the Windows pop-up while logged on says the updates have been installed and require a reboot to take effect. Not 100% sure but I believe that means the updates still won't have taken effect when I turn the laptop back on. Either way, I'll wait until your next instructions before powering up the laptop.

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 PM

Posted 12 January 2012 - 02:35 AM

Hi!

Gotta love Windows Updates!

It's probably going to be easiest if we just allow it to update the computer now, otherwise it's going to keep getting in the way of us trying to run the fixes. We don't want it to be nagging us to reboot the computer to finish installing the updates, and then automatically reboot on us right in the middle of one of our scans.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
ClearJavaCache::
Folder::
c:\windows\$NtUninstallKB62280$

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 Dylan Kerr

Dylan Kerr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 12 January 2012 - 07:56 PM

Windows Update - apparently it was two separate sets of updates. The reboot pop-up is gone after a restart but there are still pending updates waiting for me to authorize. I'll leave these pending until we're done.

ComboFix Scan - everything seemed to go exactly like it did the first time through the scan. It found ZeroAccess again and rebooted a couple of times. Here's the log:

ComboFix 12-01-12.04 - Dylan 12/01/2012 19:13:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1335 [GMT -5:00]
Running from: c:\documents and settings\Dylan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dylan\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB62280$
.
.
((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
.
.
2012-01-08 03:00 . 2012-01-08 03:27 -------- d-----w- c:\windows\system32\Adobe
2012-01-08 00:26 . 2012-01-08 00:26 -------- d-----w- c:\program files\Secunia
2012-01-07 19:43 . 2012-01-07 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-07 19:43 . 2012-01-07 19:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-07 19:43 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-07 18:22 . 2012-01-07 18:22 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-07 18:22 . 2012-01-07 18:22 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-24 15:45 . 2011-12-24 15:45 -------- d-----w- c:\program files\iPod
2011-12-24 15:45 . 2011-12-24 15:47 -------- d-----w- c:\program files\iTunes
2011-12-18 20:20 . 2011-12-18 20:20 -------- d-----w- c:\documents and settings\Dylan\Application Data\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 17:21 . 2011-05-15 14:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2007-01-03 10:10 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2006-03-16 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-03-16 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-03-16 04:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2006-03-16 04:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-03-16 04:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2006-03-16 04:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2006-03-16 04:00 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]
"Ida"="c:\program files\Ida\IdaLaunch.exe" [2011-09-01 27368]
"SmileboxTray"="c:\documents and settings\Dylan\Application Data\Smilebox\SmileboxTray.exe" [2011-12-01 313160]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-08-12 380928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"nwiz"="nwiz.exe" [2006-08-18 1617920]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 794713]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-09 184320]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-13 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-03-31 115624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec Client Security\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec Client Security\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Sara\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [14/10/2011 1:01 AM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [14/10/2011 1:01 AM 399416]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [06/06/2006 3:39 PM 61952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [08/11/2011 4:00 AM 106104]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 3:30 AM 15544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 1:46 PM 135664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [18/11/2008 5:17 PM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 1:46 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 18:45]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 18:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-12 19:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???(d??????g?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4304)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec Client Security\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\SmcGui.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\Ida\Ida.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\SavUI.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2012-01-12 19:43:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-13 00:43
ComboFix2.txt 2012-01-11 01:03
.
Pre-Run: 57,828,769,792 bytes free
Post-Run: 57,816,092,672 bytes free
.
- - End Of File - - EB9CB9E883D80C619CA99B95932962CD

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 PM

Posted 13 January 2012 - 01:51 AM

Hi!

Okay, thanks for that information regarding the Windows Update.

It looks like we were able to remove a malicious folder related to ZeroAccess.

Lets run a few other scans to see what they come up with.


Running aswMBR.exe

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:


Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 Dylan Kerr

Dylan Kerr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 13 January 2012 - 03:04 PM

Windows Update (argh) - The rest of the updates called for a reboot so I did. When the computer came back up, Windows Malicious Software Removal Tool indicated that it had partially removed Trojan.Alureon and that I should run a full scan with an anti-virus program.

aswMBR - When I ran this scan it asked me if I wanted to download the latest AVAST virus definitions for a better scan. I wasn't sure so I said yes. They downloaded and the scan started. During the scan, Auto-Protect (I'm assuming from Symantec) came up and indicated it was quarantining a Trojan.Gen.2 file (C:\Documents and Settings\Dylan\Local Settings\Temp\_avast4_\unp109084890.tmp). Not sure if this was one of the virus definition files or not, but it hung the aswMBR scan. I waited about 30 mins but I was pretty sure the scan was no longer running so I had it generate the log. Prior to hanging, it identified an Alureon-K rootkit. It also generated a file called MBR.dat (which Windows is recognizing as a VCD file) and saved it to the desktop.

MBAM - ran quickly, found and repaired a PUM.hijack.startmenu file.

ESET - this one took about 4 and a half hours and found 17 files associated with a Win32/Rootkit.Kryptik.HD trojan.

Security Check - ran fine, no issues.

Clearly we're not clean yet, but hopefully getting to the root of the problem (sorry couldn't resist).

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-13 08:32:33
-----------------------------
08:32:33.609 OS Version: Windows 5.1.2600 Service Pack 3
08:32:33.609 Number of processors: 2 586 0x4802
08:32:33.609 ComputerName: DYLANLAPTOP UserName: Dylan
08:32:34.515 Initialize success
08:39:28.515 AVAST engine defs: 12011300
08:41:09.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000008a
08:41:09.750 Disk 0 Vendor: Size: 0MB BusType: 0
08:41:09.781 Disk 0 MBR read successfully
08:41:09.781 Disk 0 MBR scan
08:41:09.828 Disk 0 unknown MBR code
08:41:09.828 Disk 0 MBR hidden
08:41:09.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 102084 MB offset 63
08:41:09.875 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 11350 MB offset 209085975
08:41:09.890 Disk 0 Partition 3 00 D7 NTFS 1027 MB offset 232332030
08:41:09.921 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 234436545
08:41:09.937 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]
08:41:09.984 Disk 0 scanning C:\WINDOWS\system32\drivers
08:41:28.421 Service scanning
08:41:29.953 Modules scanning
08:41:39.109 Disk 0 trace - called modules:
08:41:39.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
08:41:39.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6b4ab8]
08:41:39.140 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\0000008b[0x8a709ac0]
08:41:39.156 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\0000008a[0x8a6b4030]
08:41:39.765 AVAST engine scan C:\WINDOWS
08:42:16.312 AVAST engine scan C:\WINDOWS\system32
08:45:17.937 AVAST engine scan C:\WINDOWS\system32\drivers
08:45:43.359 AVAST engine scan C:\Documents and Settings\Dylan
09:05:35.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dylan\Desktop\MBR.dat"
09:05:35.421 The log file has been saved successfully to "C:\Documents and Settings\Dylan\Desktop\aswMBR.txt"


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.13.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dylan :: DYLANLAPTOP [limited]

13/01/2012 9:08:42 AM
mbam-log-2012-01-13 (09-08-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219389
Time elapsed: 23 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

List of Infected Files From ESET Scan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0157268.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0157279.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0157291.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0158291.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0159291.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0160291.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0160297.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0161297.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0161414.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1200\A0162413.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1208\A0162661.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1208\A0163661.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1208\A0164661.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1208\A0164677.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1208\A0164690.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1208\A0164717.sys a variant of Win32/Rootkit.Kryptik.HD trojan
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1210\A0165488.dll a variant of Win32/Rootkit.Kryptik.HD trojan

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Secunia PSI (2.0.0.4003)
Adobe Reader X (10.1.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Symantec Client Security Symantec AntiVirus Smc.exe
Symantec Client Security Symantec AntiVirus Rtvscan.exe
Symantec Client Security Symantec AntiVirus SmcGui.exe
``````````End of Log````````````

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 PM

Posted 14 January 2012 - 03:58 AM

Hello!

Thanks for the information regarding the Windows Updates.

I'm currently in the process of researching something from your latest logs, and hope to have something for you shortly.

I'm going to ask that you reply to this thread, so that it gets bumped back up in my queue.

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 Dylan Kerr

Dylan Kerr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 14 January 2012 - 07:59 AM

Thanks. Bump.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users