Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't access Google


  • This topic is locked This topic is locked
14 replies to this topic

#1 Havl

Havl

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 25 February 2012 - 04:44 PM

Last week, my XP machine got a rogue anti-malware trojan. Malwarebytes Anti-Malware solved almost all of the problems, but now I'm unable to access Google. The problem occurs whether I use Firefox (my default browser) or Internet Explorer. Interestingly, the browser can navigate to http://images.google.com, but from there it can't perform any searches. And http://maps.google.com works just fine.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Run by Henry at 0:13:04 on 2012-02-25
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639.198 [GMT -6:00]
.
.
============== Running Processes ===============
.
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
svchost.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\WINDOWS\System32\svchost.exe -k imgsvc
E:\Program Files\WZCBDL Service\WZCBDLS.exe
E:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\BCMSMMSG.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\D-Link\Air USB Utility\AirCFG.exe
E:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
E:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
E:\WINDOWS\system32\tbctray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [Microsoft Works Update Detection] e:\program files\microsoft works\WkDetect.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [IntelliPoint] "e:\program files\microsoft intellipoint\ipoint.exe"
mRun: [D-Link Air USB Utility] e:\program files\d-link\air usb utility\AirCFG.exe
mRun: [nmctxth] "e:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "e:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [Microsoft Works Update Detection] e:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [HP Software Update] e:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechQuickCamRibbon] "e:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [StartCCC] "e:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Carbonite Backup] e:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [TraySantaCruz] e:\windows\system32\tbctray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://e:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268885209821
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E11F2F2D-A313-4032-8B8C-53252003361F} : DhcpNameServer = 192.168.1.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - e:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - e:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - e:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL
Hosts: 94.63.240.135 www.google.com
Hosts: 94.63.240.136 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\documents and settings\henry\application data\mozilla\firefox\profiles\5yo9iwqt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: e:\documents and settings\henry\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: e:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;e:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 NIOC;NIOC Service;e:\windows\system32\NIOC.sys [2002-9-27 22912]
R2 WZCBDLService;WZCBDL Service;e:\program files\wzcbdl service\WZCBDLS.exe [2002-3-19 36864]
R3 tbcspud;Santa Cruz Driver;e:\windows\system32\drivers\tbcspud.sys [2010-3-18 144768]
R3 tbcwdm;Santa Cruz WDM Driver;e:\windows\system32\drivers\tbcwdm.sys [2010-3-18 545088]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;e:\windows\system32\drivers\WUSB54GCv3.sys [2011-3-1 627072]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\e:\program files\lavasoft\ad-aware\kernexplorer.sys --> e:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 PRISM_USB;D-Link Air Wireless USB Adapter Driver;e:\windows\system32\drivers\PRISMUSB.sys [2003-10-2 666624]
.
=============== Created Last 30 ================
.
2012-02-25 05:57:01 -------- d-----w- E:\TDSSKiller_Quarantine
2012-02-24 05:18:34 98816 ----a-w- e:\windows\sed.exe
2012-02-24 05:18:34 518144 ----a-w- e:\windows\SWREG.exe
2012-02-24 05:18:34 256000 ----a-w- e:\windows\PEV.exe
2012-02-24 05:18:34 208896 ----a-w- e:\windows\MBR.exe
2012-02-18 22:24:55 -------- d-----w- e:\documents and settings\henry\application data\MediaWmplay
2012-02-14 17:22:49 -------- d-----w- e:\documents and settings\henry\application data\Rucaufn
2012-02-14 17:22:49 -------- d-----w- e:\documents and settings\henry\application data\Goudnug
.
==================== Find3M ====================
.
2011-12-14 16:49:27 187776 ----a-w- e:\windows\system32\drivers\acpi.sys
2011-12-10 21:24:06 20464 ----a-w- e:\windows\system32\drivers\mbam.sys
2011-12-02 15:44:17 57472 ----a-w- e:\windows\system32\drivers\redbook.sys
.
============= FINISH: 0:13:45.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:54 AM

Posted 25 February 2012 - 07:05 PM

Hi

I see you have previously run ComboFix, was it recently? If so please post the log(s, you should be able to located them at C:\ComboFix.txt (older logs at C:\Qoobox\ComboFix2.txt


NEXT



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Havl

Havl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 25 February 2012 - 07:16 PM

Thank you for the quick reply. Yes, I ran ComboFix this week (which is not suggested, I know). Here's the ComboFix log:

ComboFix 12-02-21.01 - Henry 02/23/2012 23:29:38.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639.346 [GMT -6:00]
Running from: c:\downloads\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-21 18:07 . 2012-02-21 18:08 40776 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2012-02-18 22:24 . 2012-02-20 17:37 -------- d-----w- e:\documents and settings\Henry\Application Data\MediaWmplay
2012-02-14 17:22 . 2012-02-20 20:03 -------- d-----w- e:\documents and settings\Henry\Application Data\Rucaufn
2012-02-14 17:22 . 2012-02-20 17:41 -------- d-----w- e:\documents and settings\Henry\Application Data\Goudnug
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-14 16:49 . 2002-06-25 21:36 187776 ----a-w- e:\windows\system32\drivers\acpi.sys
2011-12-10 21:24 . 2011-12-13 04:50 20464 ----a-w- e:\windows\system32\drivers\mbam.sys
2011-12-02 15:44 . 2010-03-17 13:24 57472 ----a-w- e:\windows\system32\drivers\redbook.sys
2012-02-19 02:00 . 2011-05-30 03:59 134104 ----a-w- e:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-09-24_03.00.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-24 05:26 . 2012-02-24 05:26 16384 e:\windows\temp\Perflib_Perfdata_634.dat
+ 2012-02-24 05:26 . 2012-02-24 05:26 16384 e:\windows\temp\Perflib_Perfdata_5f0.dat
+ 2011-12-15 07:00 . 2001-11-09 16:01 24064 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ativcoxx.dll
+ 2011-12-15 07:00 . 2010-02-03 03:12 17408 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atitvo32.dll
+ 2011-12-15 07:00 . 2009-02-03 21:52 45056 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ATIODCLI.exe
+ 2011-12-15 07:00 . 2010-02-03 03:18 65024 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atimpc32.dll
+ 2011-12-15 07:00 . 2010-02-03 03:19 53248 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ATIDDC.DLL
+ 2011-12-15 07:00 . 2010-02-03 04:12 45056 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\aticalrt.dll
+ 2011-12-15 07:00 . 2010-02-03 04:12 45056 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\aticalcl.dll
+ 2011-12-15 07:00 . 2010-02-03 03:23 26112 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\Ati2mdxx.exe
+ 2011-12-15 07:00 . 2010-02-03 03:17 53248 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ati2erec.dll
+ 2011-12-15 07:00 . 2010-02-03 03:23 43520 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ati2edxx.dll
+ 2002-06-25 21:44 . 2012-01-14 23:00 67836 e:\windows\system32\perfc009.dat
+ 2011-11-10 04:39 . 2011-11-10 04:39 54784 e:\windows\system32\OVDecode.dll
+ 2011-11-10 04:39 . 2011-11-10 04:39 59904 e:\windows\system32\OpenVideo.dll
+ 2011-11-10 04:37 . 2011-11-10 04:37 44032 e:\windows\system32\OpenCL.dll
+ 2010-05-27 03:29 . 2012-02-08 20:35 54196 e:\windows\system32\mlfcache.dat
+ 2011-12-15 06:41 . 2011-11-10 02:32 81679 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\oemdspif.dll
+ 2011-12-15 06:41 . 2001-11-09 16:01 12614 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ativcoxx.dll
+ 2011-12-15 06:41 . 2010-08-27 19:32 81222 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atiode.exe
+ 2011-12-15 06:41 . 2009-06-22 16:34 25130 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atiodcli.exe
+ 2011-12-15 06:41 . 2011-11-10 02:12 41496 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atimpc32.dll
+ 2011-12-15 06:41 . 2011-11-10 02:29 28698 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atiddc.dll
+ 2011-12-15 06:41 . 2011-11-10 03:26 29983 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\aticalrt.dll
+ 2011-12-15 06:41 . 2011-11-10 03:26 29022 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\aticalcl.dll
+ 2011-12-15 06:41 . 2009-05-11 22:35 71662 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atibtmon.exe
+ 2011-12-15 06:41 . 2011-11-10 02:27 61530 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atiapfxx.exe
+ 2011-12-15 06:41 . 2011-11-10 02:32 16308 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ati2mdxx.exe
+ 2011-12-15 06:41 . 2011-11-10 02:12 13652 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ati2erec.dll
+ 2011-12-15 06:41 . 2011-11-10 02:32 28844 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ati2edxx.dll
+ 2011-12-14 16:44 . 2004-08-04 06:14 74752 e:\windows\system32\drivers\ipsec.sys
- 2011-08-15 02:36 . 2004-08-04 06:14 74752 e:\windows\system32\drivers\ipsec.sys
+ 2010-03-18 05:56 . 2011-11-10 02:12 53248 e:\windows\system32\drivers\ati2erec.dll
- 2008-10-03 21:38 . 2010-02-03 03:17 53248 e:\windows\system32\drivers\ati2erec.dll
+ 2002-06-25 21:47 . 2004-08-04 07:56 57856 e:\windows\system32\dllcache\spoolsv.exe
+ 2004-08-04 07:56 . 2004-08-04 07:56 32768 e:\windows\system32\dllcache\ativtmxx.dll
- 2004-08-04 07:56 . 2004-08-04 07:56 32768 e:\windows\system32\ativtmxx.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 32768 e:\windows\system32\ativtmxx.dll
- 2001-11-09 15:01 . 2001-11-09 16:01 24064 e:\windows\system32\ativcoxx.dll
+ 2010-03-18 05:56 . 2001-11-09 16:01 24064 e:\windows\system32\ativcoxx.dll
+ 2010-03-18 05:56 . 2011-11-10 02:18 17408 e:\windows\system32\atitvo32.dll
- 2008-10-03 21:39 . 2010-02-03 03:12 17408 e:\windows\system32\atitvo32.dll
- 2010-03-18 05:56 . 2009-02-03 21:52 45056 e:\windows\system32\ATIODCLI.exe
+ 2010-03-18 05:56 . 2009-06-22 16:34 45056 e:\windows\system32\ATIODCLI.exe
+ 2010-03-18 05:56 . 2011-11-10 02:12 65024 e:\windows\system32\atimpc32.dll
- 2010-03-18 05:56 . 2010-02-03 03:18 65024 e:\windows\system32\atimpc32.dll
+ 2010-03-18 05:56 . 2011-11-10 02:29 53248 e:\windows\system32\ATIDDC.DLL
- 2008-10-03 22:26 . 2010-02-03 03:19 53248 e:\windows\system32\ATIDDC.DLL
+ 2010-03-18 05:56 . 2011-11-10 03:26 57344 e:\windows\system32\aticalrt.dll
+ 2010-03-18 05:56 . 2011-11-10 03:26 53248 e:\windows\system32\aticalcl.dll
- 2008-10-03 22:30 . 2010-02-03 03:23 26112 e:\windows\system32\Ati2mdxx.exe
+ 2010-03-18 05:56 . 2011-11-10 02:32 26112 e:\windows\system32\Ati2mdxx.exe
+ 2010-03-18 05:56 . 2011-11-10 02:32 43520 e:\windows\system32\ati2edxx.dll
- 2008-10-03 22:29 . 2010-02-03 03:23 43520 e:\windows\system32\ati2edxx.dll
+ 2010-03-18 05:56 . 2011-11-10 02:12 65024 e:\windows\system32\amdpcom32.dll
- 2008-10-03 21:45 . 2010-02-03 03:18 65024 e:\windows\system32\amdpcom32.dll
+ 2011-12-15 07:01 . 2011-12-15 07:01 10134 e:\windows\Installer\{CEC9FC3D-7EE9-F5B5-EE4A-4EEF486E70A1}\ARPPRODUCTICON.exe
+ 2011-12-15 07:01 . 2011-12-15 07:01 10134 e:\windows\Installer\{CBC800C4-1FD0-B310-F4A4-97741501CE09}\ARPPRODUCTICON.exe
+ 2011-12-15 07:01 . 2011-12-15 07:01 10134 e:\windows\Installer\{B0E4B690-8C1A-3AFC-93B1-FE44CC6AC451}\ARPPRODUCTICON.exe
+ 2011-12-17 02:58 . 2011-12-17 02:58 34632 e:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2011-12-15 07:01 . 2011-12-15 07:01 10134 e:\windows\Installer\{860FB617-F27B-7C53-4766-4063015CEBD9}\ARPPRODUCTICON.exe
+ 2011-12-15 06:41 . 2011-12-15 07:00 88102 e:\windows\Installer\{3F1A3608-87BB-5172-2B97-8B7FB632DED4}\NewShortcut5_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-12-15 06:41 . 2011-12-15 07:00 88102 e:\windows\Installer\{3F1A3608-87BB-5172-2B97-8B7FB632DED4}\NewShortcut4_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-12-15 06:41 . 2011-12-15 07:00 88102 e:\windows\Installer\{3F1A3608-87BB-5172-2B97-8B7FB632DED4}\NewShortcut3_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-12-15 06:41 . 2011-12-15 07:00 88102 e:\windows\Installer\{3F1A3608-87BB-5172-2B97-8B7FB632DED4}\NewShortcut2_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-12-15 06:41 . 2011-12-15 07:00 88102 e:\windows\Installer\{3F1A3608-87BB-5172-2B97-8B7FB632DED4}\ARPPRODUCTICON.exe
+ 2010-03-18 05:56 . 2011-12-15 06:23 77542 e:\windows\Installer\{3953DA43-4488-9C4E-CAD6-05F1B345134B}\NewShortcut5_4DEA5338A7B840A3B51CDC742625BF49.exe
- 2010-03-18 05:56 . 2010-03-18 05:56 77542 e:\windows\Installer\{3953DA43-4488-9C4E-CAD6-05F1B345134B}\NewShortcut5_4DEA5338A7B840A3B51CDC742625BF49.exe
- 2010-03-18 05:56 . 2010-03-18 05:56 77542 e:\windows\Installer\{3953DA43-4488-9C4E-CAD6-05F1B345134B}\NewShortcut4_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2010-03-18 05:56 . 2011-12-15 06:23 77542 e:\windows\Installer\{3953DA43-4488-9C4E-CAD6-05F1B345134B}\NewShortcut4_4DEA5338A7B840A3B51CDC742625BF49.exe
- 2010-03-18 05:56 . 2010-03-18 05:56 77542 e:\windows\Installer\{3953DA43-4488-9C4E-CAD6-05F1B345134B}\NewShortcut3_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2010-03-18 05:56 . 2011-12-15 06:23 77542 e:\windows\Installer\{3953DA43-4488-9C4E-CAD6-05F1B345134B}\NewShortcut3_4DEA5338A7B840A3B51CDC742625BF49.exe
- 2010-03-18 05:56 . 2010-03-18 05:56 77542 e:\windows\Installer\{3953DA43-4488-9C4E-CAD6-05F1B345134B}\NewShortcut2_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2010-03-18 05:56 . 2011-12-15 06:23 77542 e:\windows\Installer\{3953DA43-4488-9C4E-CAD6-05F1B345134B}\NewShortcut2_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-12-15 07:01 . 2011-12-15 07:01 10134 e:\windows\Installer\{2ECA81CA-D932-4AD3-AD59-BF5CCF099C83}\ARPPRODUCTICON.exe
+ 2011-12-15 07:00 . 2011-12-15 07:00 10134 e:\windows\Installer\{190BFE74-D73A-C8E5-CD90-CD872449C8D1}\ARPPRODUCTICON.exe
+ 2011-12-15 05:40 . 2011-12-15 05:57 88102 e:\windows\Installer\{190601AF-7BE4-046E-CEBF-14EE74434250}\NewShortcut5_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-12-15 05:40 . 2011-12-15 05:57 88102 e:\windows\Installer\{190601AF-7BE4-046E-CEBF-14EE74434250}\NewShortcut4_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-12-15 05:40 . 2011-12-15 05:57 88102 e:\windows\Installer\{190601AF-7BE4-046E-CEBF-14EE74434250}\NewShortcut3_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-12-15 05:40 . 2011-12-15 05:57 88102 e:\windows\Installer\{190601AF-7BE4-046E-CEBF-14EE74434250}\NewShortcut2_4DEA5338A7B840A3B51CDC742625BF49.exe
+ 2011-12-15 07:02 . 2011-12-15 07:02 10134 e:\windows\Installer\{01BECA44-450D-ACCF-AFC3-03FF6B009B63}\ARPPRODUCTICON.exe
+ 2011-12-15 06:41 . 2011-11-10 02:18 8348 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atitvo32.dll
+ 2011-12-15 07:02 . 2011-12-15 07:02 9662 e:\windows\Installer\{01BECA44-450D-ACCF-AFC3-03FF6B009B63}\NewShortcut11_EAB9635D261D49BE88DDE71A7C809B2D.exe
+ 2009-02-25 20:13 . 2009-02-25 20:13 626688 e:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2009-02-25 20:13 . 2009-02-25 20:13 548864 e:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2009-02-25 20:13 . 2009-02-25 20:13 479232 e:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2011-10-22 02:15 . 2011-10-22 02:15 104448 e:\windows\system32\SlotMaximizerAg.dll
+ 2011-12-15 07:00 . 2010-02-03 03:23 155648 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\Oemdspif.dll
+ 2011-12-15 07:00 . 2010-02-03 03:34 887724 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ativva6x.dat
+ 2011-12-15 07:00 . 2010-02-03 03:23 208896 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atipdlxx.dll
+ 2011-12-15 07:00 . 2010-02-03 03:32 397312 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atiok3x2.dll
+ 2011-12-15 07:00 . 2009-02-18 18:55 294912 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ATIODE.exe
+ 2011-12-15 07:00 . 2010-02-03 03:15 565248 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atikvmag.dll
+ 2011-12-15 07:00 . 2010-02-03 04:07 311296 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atiiiexx.dll
+ 2011-12-15 07:00 . 2009-12-04 21:17 198341 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atiicdxx.dat
+ 2011-12-15 07:00 . 2010-02-03 03:40 446464 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ATIDEMGX.dll
+ 2011-12-15 07:00 . 2009-05-11 22:35 118784 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atibtmon.exe
+ 2011-12-15 07:00 . 2010-02-03 03:19 143360 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atiapfxx.exe
+ 2011-12-15 07:00 . 2010-02-03 03:12 180224 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atiadlxx.dll
+ 2011-12-15 07:00 . 2010-02-03 03:21 602112 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ati2evxx.exe
+ 2011-12-15 07:00 . 2010-02-03 03:22 159744 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ati2evxx.dll
+ 2011-12-15 07:00 . 2010-02-03 03:39 301568 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ati2dvag.dll
+ 2011-12-15 07:00 . 2010-02-03 03:06 638976 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ati2cqag.dll
+ 2002-06-25 21:44 . 2012-01-14 23:00 433324 e:\windows\system32\perfh009.dat
+ 2010-03-18 05:56 . 2011-11-10 02:32 155648 e:\windows\system32\Oemdspif.dll
- 2008-10-03 22:30 . 2010-02-03 03:23 155648 e:\windows\system32\Oemdspif.dll
+ 2011-09-29 18:06 . 2011-09-29 18:06 243360 e:\windows\system32\Macromed\Flash\FlashUtil10x_Plugin.exe
+ 2010-03-17 13:22 . 2012-02-09 15:23 251088 e:\windows\system32\FNTCACHE.DAT
+ 2011-12-15 06:41 . 2011-11-10 02:41 501631 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ativvamv.dll
+ 2011-12-15 06:41 . 2011-11-10 02:25 887724 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ativva6x.dat
+ 2011-12-15 06:41 . 2011-11-10 02:32 110204 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atipdlxx.dll
+ 2011-12-15 06:41 . 2011-11-10 02:20 293505 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atiok3x2.dll
+ 2011-12-15 06:41 . 2011-11-10 02:23 419091 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atikvmag.dll
+ 2011-12-15 06:41 . 2011-11-10 03:34 311296 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atiiiexx.dll
+ 2011-12-15 06:41 . 2011-10-21 19:30 243168 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atiicdxx.dat
+ 2011-12-15 06:41 . 2011-11-10 02:54 466944 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atidemgx.dll
+ 2011-12-15 06:41 . 2011-11-10 02:18 125808 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atiadlxx.dll
+ 2011-12-15 06:41 . 2011-11-10 02:30 345765 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ati2evxx.exe
+ 2011-12-15 06:41 . 2011-11-10 02:31 103367 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ati2evxx.dll
+ 2011-12-15 06:41 . 2011-11-10 02:53 191755 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ati2dvag.dll
+ 2011-12-15 06:41 . 2011-11-10 02:12 447608 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ati2cqag.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 516768 e:\windows\system32\dllcache\ativvaxx.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 870784 e:\windows\system32\dllcache\ati3d1ag.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 201728 e:\windows\system32\dllcache\ati2dvag.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 377984 e:\windows\system32\dllcache\ati2dvaa.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 229376 e:\windows\system32\dllcache\ati2cqag.dll
+ 2011-12-15 06:41 . 2011-11-10 02:41 956160 e:\windows\system32\ativvamv.dll
- 2010-03-18 05:34 . 2010-02-03 03:34 887724 e:\windows\system32\ativva6x.dat
+ 2010-03-18 05:56 . 2011-11-10 02:25 887724 e:\windows\system32\ativva6x.dat
+ 2010-03-18 05:56 . 2011-11-10 02:32 212992 e:\windows\system32\atipdlxx.dll
+ 2010-03-18 05:56 . 2011-11-10 02:20 602112 e:\windows\system32\atiok3x2.dll
- 2010-03-18 05:56 . 2009-02-18 18:55 294912 e:\windows\system32\ATIODE.exe
+ 2010-03-18 05:56 . 2010-08-27 19:32 294912 e:\windows\system32\ATIODE.exe
+ 2010-03-18 05:56 . 2011-11-10 02:23 806912 e:\windows\system32\atikvmag.dll
+ 2010-03-18 05:56 . 2011-11-10 03:34 311296 e:\windows\system32\atiiiexx.dll
- 2010-03-18 05:34 . 2010-02-03 04:07 311296 e:\windows\system32\atiiiexx.dll
+ 2010-03-18 05:56 . 2011-10-21 19:30 243168 e:\windows\system32\atiicdxx.dat
+ 2010-03-18 05:56 . 2011-11-10 02:54 466944 e:\windows\system32\ATIDEMGX.dll
+ 2010-03-18 05:56 . 2011-11-10 02:27 159744 e:\windows\system32\atiapfxx.exe
+ 2010-03-18 05:56 . 2011-11-10 02:18 233472 e:\windows\system32\atiadlxx.dll
- 2004-08-04 07:56 . 2004-08-04 07:56 870784 e:\windows\system32\ati3d1ag.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 870784 e:\windows\system32\ati3d1ag.dll
+ 2010-03-18 05:56 . 2011-11-10 02:30 643072 e:\windows\system32\ati2evxx.exe
+ 2010-03-18 05:56 . 2011-11-10 02:31 192512 e:\windows\system32\ati2evxx.dll
+ 2004-08-04 07:56 . 2011-11-10 02:53 304640 e:\windows\system32\ati2dvag.dll
- 2004-08-04 07:56 . 2004-08-04 07:56 377984 e:\windows\system32\ati2dvaa.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 377984 e:\windows\system32\ati2dvaa.dll
+ 2004-08-04 07:56 . 2011-11-10 02:12 884736 e:\windows\system32\ati2cqag.dll
+ 2011-12-17 02:58 . 2011-12-17 02:58 381440 e:\windows\Installer\2906ec5.msi
+ 2011-12-15 07:01 . 2011-12-15 07:01 230400 e:\windows\Installer\1f92db.msi
+ 2011-12-15 07:01 . 2011-12-15 07:01 415744 e:\windows\Installer\1f92d5.msi
+ 2011-12-15 07:01 . 2011-12-15 07:01 251392 e:\windows\Installer\1f92cf.msi
+ 2011-12-15 07:01 . 2011-12-15 07:01 262144 e:\windows\Installer\1f92c9.msi
+ 2011-12-15 07:01 . 2011-12-15 07:01 356352 e:\windows\Installer\1f92c3.msi
+ 2011-12-15 07:00 . 2011-12-15 07:00 438784 e:\windows\Installer\1f9153.msi
+ 2011-12-15 06:26 . 2011-12-15 06:26 262144 e:\windows\assembly\GAC_MSIL\CLI.AIB.TutorialInfoCentre.Tutorial.Dashboard\1.2.2600.29179__90ba9c70f846762e\CLI.AIB.TutorialInfoCentre.Tutorial.Dashboard.DLL
- 2010-03-18 07:54 . 2010-03-18 07:54 262144 e:\windows\assembly\GAC_MSIL\CLI.AIB.TutorialInfoCentre.Tutorial.Dashboard\1.2.2600.29179__90ba9c70f846762e\CLI.AIB.TutorialInfoCentre.Tutorial.Dashboard.DLL
+ 2011-10-22 02:16 . 2011-10-22 02:16 1843200 e:\windows\system32\SlotMaximizerBe.dll
+ 2011-12-15 07:00 . 2010-02-03 03:35 2176640 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ativvaxx.dll
+ 2011-12-15 07:00 . 2010-02-03 04:10 3633152 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\aticaldd.dll
+ 2011-12-15 07:00 . 2010-02-03 03:50 3566048 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ati3duag.dll
+ 2011-12-15 07:00 . 2010-02-03 04:52 4605952 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\ati2mtag.sys
- 2010-09-27 03:52 . 2011-09-07 18:32 6277280 e:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2010-09-27 03:52 . 2011-09-29 18:06 6277280 e:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-12-15 06:41 . 2011-11-10 02:30 1631107 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ativvaxx.dll
+ 2011-12-15 06:41 . 2011-11-10 03:06 8337653 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\atioglxx.dll
+ 2011-12-15 06:41 . 2011-11-10 03:20 3157479 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\aticaldd.dll
+ 2011-12-15 06:41 . 2011-11-10 02:50 2787536 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ati3duag.dll
+ 2011-12-15 06:41 . 2011-11-10 03:42 4986553 e:\windows\system32\DRVSTORE\CX130071_87B406681E65B148C91E8BBBF5E64E437D023907\B128376\ati2mtag.sys
+ 2010-03-18 05:56 . 2011-11-10 03:42 7493120 e:\windows\system32\drivers\ati2mtag.sys
+ 2004-08-04 07:56 . 2004-08-04 07:56 1888992 e:\windows\system32\dllcache\ati3duag.dll
+ 2004-08-04 07:56 . 2011-11-10 02:30 3303040 e:\windows\system32\ativvaxx.dll
+ 2010-03-18 05:56 . 2011-11-10 03:20 7196672 e:\windows\system32\aticaldd.dll
+ 2004-08-04 07:56 . 2011-11-10 02:50 5266624 e:\windows\system32\ati3duag.dll
+ 2011-12-15 07:02 . 2011-12-15 07:02 1132544 e:\windows\Installer\1f92e2.msi
+ 2011-12-15 07:00 . 2011-12-15 07:00 1650176 e:\windows\Installer\1f915a.msi
+ 2011-12-15 07:00 . 2010-02-03 04:02 14188544 e:\windows\system32\ReinstallBackups\0020\DriverFiles\B_95228\atioglxx.dll
+ 2010-03-18 05:56 . 2011-11-10 03:06 19210240 e:\windows\system32\atioglxx.dll
+ 2011-11-10 04:38 . 2011-11-10 04:38 14375936 e:\windows\system32\amdocl.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-12-06 02:41 1005712 ----a-r- e:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-12-06 02:41 1005712 ----a-r- e:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-12-06 02:41 1005712 ----a-r- e:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="e:\program files\Microsoft Works\WkDetect.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"D-Link Air USB Utility"="e:\program files\D-Link\Air USB Utility\AirCFG.exe" [2003-07-23 2695168]
"nmctxth"="e:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="e:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Microsoft Works Update Detection"="e:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"LogitechQuickCamRibbon"="e:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"StartCCC"="e:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 98304]
"Carbonite Backup"="e:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-12-06 1059472]
"TraySantaCruz"="e:\windows\system32\tbctray.exe" [2002-04-17 290816]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=e:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=e:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 21:08 421160 ----a-w- e:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-23 21:52 331830 ----a-w- e:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 07:56 1667584 ------w- e:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- e:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34 24576 ----a-w- e:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"Lavasoft Ad-Aware Service"=3 (0x3)
"idsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\REAPER\\reaper.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\F1 Challenge 99-02\\f1 challenge 99-02.exe"=
"e:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"e:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"e:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
R?2 WZCBDLService;WZCBDL Service;e:\program files\WZCBDL Service\WZCBDLS.exe [3/19/2002 11:15 AM 36864]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 NIOC;NIOC Service;e:\windows\system32\NIOC.sys [9/27/2002 5:21 PM 22912]
R3 tbcspud;Santa Cruz Driver;e:\windows\system32\drivers\tbcspud.sys [3/18/2010 3:06 AM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;e:\windows\system32\drivers\tbcwdm.sys [3/18/2010 3:06 AM 545088]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;e:\windows\system32\drivers\WUSB54GCv3.sys [3/1/2011 11:39 AM 627072]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\e:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> e:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;e:\windows\system32\drivers\mbamswissarmy.sys [2/21/2012 12:07 PM 40776]
S3 PRISM_USB;D-Link Air Wireless USB Adapter Driver;e:\windows\system32\drivers\PRISMUSB.sys [10/2/2003 2:47 PM 666624]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://e:\windows\Java\classes\xmldso.cab
FF - ProfilePath - e:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\5yo9iwqt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-23 23:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-839522115-1336601894-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:da,6b,52,09,9c,b6,5e,19,b6,46,bf,58,79,ef,9d,ab,90,12,5a,c6,87,
86,9e,d1,de,40,21,35,e3,e1,3a,0c,4c,23,23,5d,bb,86,58,63,41,f2,92,75,8e,27,\
"rkeysecu"=hex:3e,f0,08,2b,ad,d5,08,5e,bc,ef,1d,33,41,94,d8,47
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(652)
e:\program files\SUPERAntiSpyware\SASWINLO.DLL
e:\windows\system32\Ati2evxx.dll
e:\windows\system32\atiadlxx.dll
.
Completion time: 2012-02-23 23:42:59
ComboFix-quarantined-files.txt 2012-02-24 05:42
ComboFix2.txt 2011-12-14 17:19
ComboFix3.txt 2011-06-08 18:23
.
Pre-Run: 108,537,982,976 bytes free
Post-Run: 108,731,940,864 bytes free
.
- - End Of File - - 8010541C78C23518159E0C89640FE875


And here is the log from Farbar Service Scanner:

Farbar Service Scanner Version: 22-02-2012
Ran by Henry (administrator) on 25-02-2012 at 18:14:25
Running from "C:\downloads"
Microsoft Windows XP Home Edition Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


File Check:
========
E:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
E:\WINDOWS\system32\Drivers\afd.sys
[2002-06-25 15:36] - [2008-08-14 03:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702

E:\WINDOWS\system32\Drivers\netbt.sys
[2002-06-25 15:42] - [2004-08-04 00:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

E:\WINDOWS\system32\Drivers\tcpip.sys
[2002-06-25 15:47] - [2008-06-20 04:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9

E:\WINDOWS\system32\Drivers\ipsec.sys
[2011-12-14 10:44] - [2004-08-04 00:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

E:\WINDOWS\system32\dnsrslvr.dll
[2002-06-25 15:37] - [2004-08-04 01:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

E:\WINDOWS\system32\ipnathlp.dll
[2002-06-25 15:38] - [2004-08-04 01:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

E:\WINDOWS\system32\netman.dll
[2002-06-25 15:42] - [2004-08-04 01:56] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565

E:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-03-17 14:29] - [2004-08-04 01:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

E:\WINDOWS\system32\srsvc.dll
[2010-03-17 14:31] - [2004-08-04 01:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

E:\WINDOWS\system32\Drivers\sr.sys
[2010-03-17 14:31] - [2004-08-04 00:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

E:\WINDOWS\system32\wscsvc.dll
[2004-08-04 01:56] - [2004-08-04 01:56] - 0081408 ____N (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A

E:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-03-17 14:29] - [2004-08-04 01:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

E:\WINDOWS\system32\wuauserv.dll
[2010-03-17 14:29] - [2004-08-04 01:56] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8

E:\WINDOWS\system32\qmgr.dll
[2010-03-17 14:31] - [2004-08-04 01:56] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA

E:\WINDOWS\system32\es.dll
[2002-06-25 15:37] - [2008-07-07 14:32] - 0253952 ____A (Microsoft Corporation) 60D1A6342238378BFB7545C81EE3606C

E:\WINDOWS\system32\cryptsvc.dll
[2002-06-25 15:37] - [2004-08-04 01:56] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B

E:\WINDOWS\system32\svchost.exe
[2002-06-25 15:47] - [2004-08-04 01:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

E:\WINDOWS\system32\rpcss.dll
[2002-06-25 15:45] - [2009-02-09 04:20] - 0399360 ____A (Microsoft Corporation) 01095FEBF33BEEA00C2A0730B9B3EC28

E:\WINDOWS\system32\services.exe
[2002-06-25 15:45] - [2009-02-06 11:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE


Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:54 AM

Posted 25 February 2012 - 08:01 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
e:\documents and settings\Henry\Application Data\Rucaufn
e:\documents and settings\Henry\Application Data\Goudnug

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Deleteis selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Havl

Havl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 25 February 2012 - 10:46 PM

OK, here's the new ComboFix log:

ComboFix 12-02-21.01 - Henry 02/25/2012 19:32:45.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639.379 [GMT -6:00]
Running from: c:\downloads\ComboFix.exe
Command switches used :: e:\documents and settings\Henry\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
e:\documents and settings\Henry\Application Data\Goudnug
e:\documents and settings\Henry\Application Data\Rucaufn
.
.
((((((((((((((((((((((((( Files Created from 2012-01-26 to 2012-02-26 )))))))))))))))))))))))))))))))
.
.
2012-02-25 05:57 . 2012-02-25 05:57 -------- d-----w- E:\TDSSKiller_Quarantine
2012-02-18 22:24 . 2012-02-20 17:37 -------- d-----w- e:\documents and settings\Henry\Application Data\MediaWmplay
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-14 16:49 . 2002-06-25 21:36 187776 ----a-w- e:\windows\system32\drivers\acpi.sys
2011-12-10 21:24 . 2011-12-13 04:50 20464 ----a-w- e:\windows\system32\drivers\mbam.sys
2011-12-02 15:44 . 2010-03-17 13:24 57472 ----a-w- e:\windows\system32\drivers\redbook.sys
2012-02-19 02:00 . 2011-05-30 03:59 134104 ----a-w- e:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-02-24_05.40.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-26 01:31 . 2012-02-26 01:31 16384 e:\windows\temp\Perflib_Perfdata_62c.dat
+ 2012-02-26 01:31 . 2012-02-26 01:31 16384 e:\windows\temp\Perflib_Perfdata_5e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-12-06 02:41 1005712 ----a-r- e:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-12-06 02:41 1005712 ----a-r- e:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-12-06 02:41 1005712 ----a-r- e:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="e:\program files\Microsoft Works\WkDetect.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"D-Link Air USB Utility"="e:\program files\D-Link\Air USB Utility\AirCFG.exe" [2003-07-23 2695168]
"nmctxth"="e:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="e:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Microsoft Works Update Detection"="e:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"LogitechQuickCamRibbon"="e:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"StartCCC"="e:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 98304]
"Carbonite Backup"="e:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-12-06 1059472]
"TraySantaCruz"="e:\windows\system32\tbctray.exe" [2002-04-17 290816]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=e:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=e:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 21:08 421160 ----a-w- e:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-23 21:52 331830 ----a-w- e:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 07:56 1667584 ------w- e:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- e:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34 24576 ----a-w- e:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"Lavasoft Ad-Aware Service"=3 (0x3)
"idsvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\REAPER\\reaper.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\F1 Challenge 99-02\\f1 challenge 99-02.exe"=
"e:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"e:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"e:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
R?2 WZCBDLService;WZCBDL Service;e:\program files\WZCBDL Service\WZCBDLS.exe [3/19/2002 11:15 AM 36864]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 NIOC;NIOC Service;e:\windows\system32\NIOC.sys [9/27/2002 5:21 PM 22912]
R3 tbcspud;Santa Cruz Driver;e:\windows\system32\drivers\tbcspud.sys [3/18/2010 3:06 AM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;e:\windows\system32\drivers\tbcwdm.sys [3/18/2010 3:06 AM 545088]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;e:\windows\system32\drivers\WUSB54GCv3.sys [3/1/2011 11:39 AM 627072]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\e:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> e:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 PRISM_USB;D-Link Air Wireless USB Adapter Driver;e:\windows\system32\drivers\PRISMUSB.sys [10/2/2003 2:47 PM 666624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://e:\windows\Java\classes\xmldso.cab
FF - ProfilePath - e:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\5yo9iwqt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-25 19:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-839522115-1336601894-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:da,6b,52,09,9c,b6,5e,19,b6,46,bf,58,79,ef,9d,ab,90,12,5a,c6,87,
86,9e,d1,de,40,21,35,e3,e1,3a,0c,4c,23,23,5d,bb,86,58,63,41,f2,92,75,8e,27,\
"rkeysecu"=hex:3e,f0,08,2b,ad,d5,08,5e,bc,ef,1d,33,41,94,d8,47
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(652)
e:\program files\SUPERAntiSpyware\SASWINLO.DLL
e:\windows\system32\Ati2evxx.dll
e:\windows\system32\atiadlxx.dll
.
Completion time: 2012-02-25 19:44:57
ComboFix-quarantined-files.txt 2012-02-26 01:44
ComboFix2.txt 2012-02-24 05:43
ComboFix3.txt 2011-12-14 17:19
ComboFix4.txt 2011-06-08 18:23
.
Pre-Run: 108,448,100,352 bytes free
Post-Run: 108,451,090,432 bytes free
.
- - End Of File - - 0E856741627F032145636C30A6887C61

And here's the TDSSKiller log:

21:42:54.0656 3876 TDSS rootkit removing tool 2.7.14.0 Feb 22 2012 16:54:49
21:42:55.0093 3876 ============================================================
21:42:55.0093 3876 Current date / time: 2012/02/25 21:42:55.0093
21:42:55.0093 3876 SystemInfo:
21:42:55.0093 3876
21:42:55.0093 3876 OS Version: 5.1.2600 ServicePack: 2.0
21:42:55.0093 3876 Product type: Workstation
21:42:55.0093 3876 ComputerName: DIMENSION4500
21:42:55.0093 3876 UserName: Henry
21:42:55.0093 3876 Windows directory: E:\WINDOWS
21:42:55.0093 3876 System windows directory: E:\WINDOWS
21:42:55.0093 3876 Processor architecture: Intel x86
21:42:55.0093 3876 Number of processors: 1
21:42:55.0093 3876 Page size: 0x1000
21:42:55.0093 3876 Boot type: Normal boot
21:42:55.0093 3876 ============================================================
21:42:56.0687 3876 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:42:56.0703 3876 Drive \Device\Harddisk1\DR1 - Size: 0x2F7B100000 (189.92 Gb), SectorSize: 0x200, Cylinders: 0x60D8, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:42:56.0703 3876 \Device\Harddisk0\DR0:
21:42:56.0703 3876 MBR used
21:42:56.0703 3876 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xFFFAC05
21:42:56.0703 3876 \Device\Harddisk1\DR1:
21:42:56.0703 3876 MBR used
21:42:56.0703 3876 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x17BD5299
21:42:56.0750 3876 Initialize success
21:42:56.0750 3876 ============================================================
21:43:29.0093 3852 ============================================================
21:43:29.0093 3852 Scan started
21:43:29.0093 3852 Mode: Manual; TDLFS;
21:43:29.0093 3852 ============================================================
21:43:29.0468 3852 Abiosdsk - ok
21:43:29.0500 3852 abp480n5 - ok
21:43:29.0562 3852 ACPI (a10c7534f7223f4a73a948967d00e69b) E:\WINDOWS\system32\DRIVERS\ACPI.sys
21:43:29.0578 3852 ACPI - ok
21:43:29.0640 3852 ACPIEC (9859c0f6936e723e4892d7141b1327d5) E:\WINDOWS\system32\drivers\ACPIEC.sys
21:43:29.0640 3852 ACPIEC - ok
21:43:29.0671 3852 adpu160m - ok
21:43:29.0734 3852 aec (841f385c6cfaf66b58fbd898722bb4f0) E:\WINDOWS\system32\drivers\aec.sys
21:43:29.0734 3852 aec - ok
21:43:29.0796 3852 AFD (55e6e1c51b6d30e54335750955453702) E:\WINDOWS\System32\drivers\afd.sys
21:43:29.0796 3852 AFD - ok
21:43:29.0859 3852 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) E:\WINDOWS\system32\DRIVERS\agp440.sys
21:43:29.0859 3852 agp440 - ok
21:43:29.0890 3852 Aha154x - ok
21:43:29.0921 3852 aic78u2 - ok
21:43:29.0937 3852 aic78xx - ok
21:43:29.0984 3852 AliIde - ok
21:43:30.0000 3852 amsint - ok
21:43:30.0046 3852 asc - ok
21:43:30.0062 3852 asc3350p - ok
21:43:30.0093 3852 asc3550 - ok
21:43:30.0140 3852 AsyncMac (02000abf34af4c218c35d257024807d6) E:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:43:30.0156 3852 AsyncMac - ok
21:43:30.0187 3852 atapi (cdfe4411a69c224bd1d11b2da92dac51) E:\WINDOWS\system32\DRIVERS\atapi.sys
21:43:30.0187 3852 atapi - ok
21:43:30.0203 3852 Atdisk - ok
21:43:30.0750 3852 ati2mtag (c832bf76f003999d2e91e5115583c69e) E:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:43:30.0968 3852 ati2mtag - ok
21:43:31.0062 3852 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) E:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:43:31.0078 3852 Atmarpc - ok
21:43:31.0156 3852 audstub (d9f724aa26c010a217c97606b160ed68) E:\WINDOWS\system32\DRIVERS\audstub.sys
21:43:31.0156 3852 audstub - ok
21:43:31.0234 3852 BCMModem (41347688046d49cde0f6d138a534f73d) E:\WINDOWS\system32\DRIVERS\BCMSM.sys
21:43:31.0265 3852 BCMModem - ok
21:43:31.0312 3852 Beep (da1f27d85e0d1525f6621372e7b685e9) E:\WINDOWS\system32\drivers\Beep.sys
21:43:31.0312 3852 Beep - ok
21:43:31.0453 3852 catchme - ok
21:43:31.0515 3852 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) E:\WINDOWS\system32\drivers\cbidf2k.sys
21:43:31.0515 3852 cbidf2k - ok
21:43:31.0562 3852 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) E:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:43:31.0562 3852 CCDECODE - ok
21:43:31.0593 3852 cd20xrnt - ok
21:43:31.0625 3852 Cdaudio (c1b486a7658353d33a10cc15211a873b) E:\WINDOWS\system32\drivers\Cdaudio.sys
21:43:31.0625 3852 Cdaudio - ok
21:43:31.0687 3852 Cdfs (cd7d5152df32b47f4e36f710b35aae02) E:\WINDOWS\system32\drivers\Cdfs.sys
21:43:31.0687 3852 Cdfs - ok
21:43:31.0750 3852 Cdr4_xp (4dee321b7d830231853bc722d3acfdf8) E:\WINDOWS\system32\drivers\Cdr4_xp.sys
21:43:31.0765 3852 Cdr4_xp - ok
21:43:31.0781 3852 Cdralw2k (18eb04a0dfd3ffae2ab736c3c1dfea34) E:\WINDOWS\system32\drivers\Cdralw2k.sys
21:43:31.0781 3852 Cdralw2k - ok
21:43:31.0812 3852 Cdrom (af9c19b3100fe010496b1a27181fbf72) E:\WINDOWS\system32\DRIVERS\cdrom.sys
21:43:31.0812 3852 Cdrom - ok
21:43:31.0843 3852 cdudf_xp (072070a498d5fad70c3a99a5f0b1331b) E:\WINDOWS\system32\drivers\cdudf_xp.sys
21:43:31.0859 3852 cdudf_xp - ok
21:43:31.0890 3852 Changer - ok
21:43:31.0937 3852 CmdIde - ok
21:43:31.0984 3852 Cpqarray - ok
21:43:32.0015 3852 dac2w2k - ok
21:43:32.0046 3852 dac960nt - ok
21:43:32.0093 3852 Disk (00ca44e4534865f8a3b64f7c0984bff0) E:\WINDOWS\system32\DRIVERS\disk.sys
21:43:32.0093 3852 Disk - ok
21:43:32.0140 3852 DM9102 (51ef6ca3d57055fed6ab99021d562443) E:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS
21:43:32.0156 3852 DM9102 - ok
21:43:32.0203 3852 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) E:\WINDOWS\system32\drivers\dmboot.sys
21:43:32.0234 3852 dmboot - ok
21:43:32.0265 3852 dmio (f5e7b358a732d09f4bcf2824b88b9e28) E:\WINDOWS\system32\drivers\dmio.sys
21:43:32.0265 3852 dmio - ok
21:43:32.0328 3852 dmload (e9317282a63ca4d188c0df5e09c6ac5f) E:\WINDOWS\system32\drivers\dmload.sys
21:43:32.0328 3852 dmload - ok
21:43:32.0375 3852 DMusic (a6f881284ac1150e37d9ae47ff601267) E:\WINDOWS\system32\drivers\DMusic.sys
21:43:32.0375 3852 DMusic - ok
21:43:32.0406 3852 dpti2o - ok
21:43:32.0421 3852 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) E:\WINDOWS\system32\drivers\drmkaud.sys
21:43:32.0437 3852 drmkaud - ok
21:43:32.0468 3852 dvd_2K (a3997baab606caa92f27e07bc4f070f0) E:\WINDOWS\system32\drivers\dvd_2K.sys
21:43:32.0468 3852 dvd_2K - ok
21:43:32.0546 3852 Fastfat (3117f595e9615e04f05a54fc15a03b20) E:\WINDOWS\system32\drivers\Fastfat.sys
21:43:32.0546 3852 Fastfat - ok
21:43:32.0625 3852 Fdc (ced2e8396a8838e59d8fd529c680e02c) E:\WINDOWS\system32\DRIVERS\fdc.sys
21:43:32.0640 3852 Fdc - ok
21:43:32.0703 3852 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) E:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
21:43:32.0718 3852 FilterService - ok
21:43:32.0859 3852 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) E:\WINDOWS\system32\drivers\Fips.sys
21:43:32.0875 3852 Fips - ok
21:43:32.0953 3852 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) E:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:43:32.0953 3852 Flpydisk - ok
21:43:33.0093 3852 FltMgr (157754f0df355a9e0a6f54721914f9c6) E:\WINDOWS\system32\drivers\fltmgr.sys
21:43:33.0093 3852 FltMgr - ok
21:43:33.0125 3852 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) E:\WINDOWS\system32\drivers\Fs_Rec.sys
21:43:33.0125 3852 Fs_Rec - ok
21:43:33.0171 3852 Ftdisk (6ac26732762483366c3969c9e4d2259d) E:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:43:33.0171 3852 Ftdisk - ok
21:43:33.0218 3852 gameenum (5f92fd09e5610a5995da7d775eadcd12) E:\WINDOWS\system32\DRIVERS\gameenum.sys
21:43:33.0218 3852 gameenum - ok
21:43:33.0281 3852 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) E:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:43:33.0281 3852 GEARAspiWDM - ok
21:43:33.0328 3852 Gpc (c0f1d4a21de5a415df8170616703debf) E:\WINDOWS\system32\DRIVERS\msgpc.sys
21:43:33.0328 3852 Gpc - ok
21:43:33.0390 3852 hidusb (1de6783b918f540149aa69943bdfeba8) E:\WINDOWS\system32\DRIVERS\hidusb.sys
21:43:33.0390 3852 hidusb - ok
21:43:33.0421 3852 hpn - ok
21:43:33.0437 3852 hpt3xx - ok
21:43:33.0500 3852 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) E:\WINDOWS\system32\DRIVERS\HPZid412.sys
21:43:33.0500 3852 HPZid412 - ok
21:43:33.0531 3852 HPZipr12 (89f41658929393487b6b7d13c8528ce3) E:\WINDOWS\system32\DRIVERS\HPZipr12.sys
21:43:33.0531 3852 HPZipr12 - ok
21:43:33.0593 3852 HPZius12 (abcb05ccdbf03000354b9553820e39f8) E:\WINDOWS\system32\DRIVERS\HPZius12.sys
21:43:33.0593 3852 HPZius12 - ok
21:43:33.0656 3852 HTTP (9f8b0f4276f618964fd118be4289b7cd) E:\WINDOWS\system32\Drivers\HTTP.sys
21:43:33.0671 3852 HTTP - ok
21:43:33.0703 3852 i2omgmt - ok
21:43:33.0718 3852 i2omp - ok
21:43:33.0796 3852 i8042prt (5502b58eef7486ee6f93f3f164dcb808) E:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:43:33.0796 3852 i8042prt - ok
21:43:33.0828 3852 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) E:\WINDOWS\system32\DRIVERS\imapi.sys
21:43:33.0828 3852 Imapi - ok
21:43:33.0875 3852 ini910u - ok
21:43:33.0906 3852 IntelIde - ok
21:43:33.0968 3852 intelppm (279fb78702454dff2bb445f238c048d2) E:\WINDOWS\system32\DRIVERS\intelppm.sys
21:43:33.0968 3852 intelppm - ok
21:43:34.0015 3852 ip6fw (4448006b6bc60e6c027932cfc38d6855) E:\WINDOWS\system32\drivers\ip6fw.sys
21:43:34.0015 3852 ip6fw - ok
21:43:34.0046 3852 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) E:\WINDOWS\system32\DRIVERS\ipinip.sys
21:43:34.0046 3852 IpInIp - ok
21:43:34.0093 3852 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) E:\WINDOWS\system32\DRIVERS\ipnat.sys
21:43:34.0109 3852 IpNat - ok
21:43:34.0171 3852 IPSec (64537aa5c003a6afeee1df819062d0d1) E:\WINDOWS\system32\DRIVERS\ipsec.sys
21:43:34.0171 3852 IPSec - ok
21:43:34.0203 3852 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) E:\WINDOWS\system32\DRIVERS\irenum.sys
21:43:34.0203 3852 IRENUM - ok
21:43:34.0265 3852 isapnp (e504f706ccb699c2596e9a3da1596e87) E:\WINDOWS\system32\DRIVERS\isapnp.sys
21:43:34.0265 3852 isapnp - ok
21:43:34.0296 3852 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) E:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:43:34.0296 3852 Kbdclass - ok
21:43:34.0359 3852 kmixer (d93cad07c5683db066b0b2d2d3790ead) E:\WINDOWS\system32\drivers\kmixer.sys
21:43:34.0359 3852 kmixer - ok
21:43:34.0421 3852 KSecDD (674d3e5a593475915dc6643317192403) E:\WINDOWS\system32\drivers\KSecDD.sys
21:43:34.0421 3852 KSecDD - ok
21:43:34.0453 3852 Lavasoft Kernexplorer - ok
21:43:34.0468 3852 lbrtfdc - ok
21:43:34.0546 3852 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) E:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
21:43:34.0562 3852 LVPr2Mon - ok
21:43:34.0625 3852 LVRS (37072ec9299e825f4335cc554b6fac6a) E:\WINDOWS\system32\DRIVERS\lvrs.sys
21:43:34.0640 3852 LVRS - ok
21:43:34.0703 3852 mmc_2K (e97e3fe03b6f271336cb2fbb24734989) E:\WINDOWS\system32\drivers\mmc_2K.sys
21:43:34.0703 3852 mmc_2K - ok
21:43:34.0765 3852 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) E:\WINDOWS\system32\drivers\mnmdd.sys
21:43:34.0765 3852 mnmdd - ok
21:43:34.0828 3852 Modem (6fc6f9d7acc36dca9b914565a3aeda05) E:\WINDOWS\system32\drivers\Modem.sys
21:43:34.0828 3852 Modem - ok
21:43:34.0875 3852 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) E:\WINDOWS\system32\drivers\MODEMCSA.sys
21:43:34.0875 3852 MODEMCSA - ok
21:43:34.0921 3852 Mouclass (34e1f0031153e491910e12551400192c) E:\WINDOWS\system32\DRIVERS\mouclass.sys
21:43:34.0921 3852 Mouclass - ok
21:43:34.0968 3852 mouhid (b1c303e17fb9d46e87a98e4ba6769685) E:\WINDOWS\system32\DRIVERS\mouhid.sys
21:43:34.0968 3852 mouhid - ok
21:43:35.0062 3852 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) E:\WINDOWS\system32\drivers\MountMgr.sys
21:43:35.0078 3852 MountMgr - ok
21:43:35.0187 3852 mraid35x - ok
21:43:35.0328 3852 MRxDAV (46edcc8f2db2f322c24f48785cb46366) E:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:43:35.0375 3852 MRxDAV - ok
21:43:35.0562 3852 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) E:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:43:35.0578 3852 MRxSmb - ok
21:43:35.0625 3852 Msfs (561b3a4333ca2dbdba28b5b956822519) E:\WINDOWS\system32\drivers\Msfs.sys
21:43:35.0625 3852 Msfs - ok
21:43:35.0687 3852 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) E:\WINDOWS\system32\drivers\MSKSSRV.sys
21:43:35.0687 3852 MSKSSRV - ok
21:43:35.0734 3852 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) E:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:43:35.0750 3852 MSPCLOCK - ok
21:43:35.0765 3852 MSPQM (1988a33ff19242576c3d0ef9ce785da7) E:\WINDOWS\system32\drivers\MSPQM.sys
21:43:35.0765 3852 MSPQM - ok
21:43:35.0828 3852 mssmbios (469541f8bfd2b32659d5d463a6714bce) E:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:43:35.0828 3852 mssmbios - ok
21:43:35.0875 3852 MSTEE (bf13612142995096ab084f2db7f40f77) E:\WINDOWS\system32\drivers\MSTEE.sys
21:43:35.0875 3852 MSTEE - ok
21:43:35.0906 3852 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) E:\WINDOWS\system32\drivers\Mup.sys
21:43:35.0921 3852 Mup - ok
21:43:35.0968 3852 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) E:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:43:35.0968 3852 NABTSFEC - ok
21:43:36.0031 3852 NDIS (558635d3af1c7546d26067d5d9b6959e) E:\WINDOWS\system32\drivers\NDIS.sys
21:43:36.0031 3852 NDIS - ok
21:43:36.0062 3852 NdisIP (520ce427a8b298f54112857bcf6bde15) E:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:43:36.0062 3852 NdisIP - ok
21:43:36.0109 3852 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) E:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:43:36.0109 3852 NdisTapi - ok
21:43:36.0171 3852 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) E:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:43:36.0171 3852 Ndisuio - ok
21:43:36.0203 3852 NdisWan (0b90e255a9490166ab368cd55a529893) E:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:43:36.0203 3852 NdisWan - ok
21:43:36.0234 3852 NDProxy (59fc3fb44d2669bc144fd87826bb571f) E:\WINDOWS\system32\drivers\NDProxy.sys
21:43:36.0234 3852 NDProxy - ok
21:43:36.0265 3852 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) E:\WINDOWS\system32\DRIVERS\netbios.sys
21:43:36.0265 3852 NetBIOS - ok
21:43:36.0296 3852 NetBT (0c80e410cd2f47134407ee7dd19cc86b) E:\WINDOWS\system32\DRIVERS\netbt.sys
21:43:36.0312 3852 NetBT - ok
21:43:36.0406 3852 NIOC (660afb141d2b66d46bbce3d0167e693b) E:\WINDOWS\system32\NIOC.SYS
21:43:36.0406 3852 NIOC - ok
21:43:36.0468 3852 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) E:\WINDOWS\system32\drivers\Npfs.sys
21:43:36.0468 3852 Npfs - ok
21:43:36.0515 3852 Ntfs (b78be402c3f63dd55521f73876951cdd) E:\WINDOWS\system32\drivers\Ntfs.sys
21:43:36.0531 3852 Ntfs - ok
21:43:36.0609 3852 Null (73c1e1f395918bc2c6dd67af7591a3ad) E:\WINDOWS\system32\drivers\Null.sys
21:43:36.0609 3852 Null - ok
21:43:36.0671 3852 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) E:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:43:36.0671 3852 NwlnkFlt - ok
21:43:36.0703 3852 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) E:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:43:36.0703 3852 NwlnkFwd - ok
21:43:36.0765 3852 Parport (29744eb4ce659dfe3b4122deb45bc478) E:\WINDOWS\system32\DRIVERS\parport.sys
21:43:36.0781 3852 Parport - ok
21:43:36.0843 3852 PartMgr (3334430c29dc338092f79c38ef7b4cd0) E:\WINDOWS\system32\drivers\PartMgr.sys
21:43:36.0843 3852 PartMgr - ok
21:43:36.0875 3852 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) E:\WINDOWS\system32\drivers\ParVdm.sys
21:43:36.0875 3852 ParVdm - ok
21:43:36.0906 3852 PCI (8086d9979234b603ad5bc2f5d890b234) E:\WINDOWS\system32\DRIVERS\pci.sys
21:43:36.0906 3852 PCI - ok
21:43:36.0937 3852 PCIDump - ok
21:43:36.0968 3852 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) E:\WINDOWS\system32\DRIVERS\pciide.sys
21:43:36.0968 3852 PCIIde - ok
21:43:37.0031 3852 Pcmcia (82a087207decec8456fbe8537947d579) E:\WINDOWS\system32\drivers\Pcmcia.sys
21:43:37.0031 3852 Pcmcia - ok
21:43:37.0062 3852 PDCOMP - ok
21:43:37.0078 3852 PDFRAME - ok
21:43:37.0109 3852 PDRELI - ok
21:43:37.0140 3852 PDRFRAME - ok
21:43:37.0156 3852 perc2 - ok
21:43:37.0187 3852 perc2hib - ok
21:43:37.0296 3852 pnarp (ce27fc8bdc54b3ac63d53e2d5f6cc929) E:\WINDOWS\system32\DRIVERS\pnarp.sys
21:43:37.0296 3852 pnarp - ok
21:43:37.0359 3852 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) E:\WINDOWS\system32\DRIVERS\point32.sys
21:43:37.0359 3852 Point32 - ok
21:43:37.0390 3852 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) E:\WINDOWS\system32\DRIVERS\raspptp.sys
21:43:37.0390 3852 PptpMiniport - ok
21:43:37.0484 3852 PRISM_USB (d3f3b511e2ce1e385c68c9881ad5b867) E:\WINDOWS\system32\DRIVERS\PRISMUSB.sys
21:43:37.0500 3852 PRISM_USB - ok
21:43:37.0546 3852 Processor (0d97d88720a4087ec93af7dbb303b30a) E:\WINDOWS\system32\DRIVERS\processr.sys
21:43:37.0546 3852 Processor - ok
21:43:37.0718 3852 PSched (48671f327553dcf1d27f6197f622a668) E:\WINDOWS\system32\DRIVERS\psched.sys
21:43:37.0734 3852 PSched - ok
21:43:37.0796 3852 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) E:\WINDOWS\system32\DRIVERS\ptilink.sys
21:43:37.0796 3852 Ptilink - ok
21:43:37.0906 3852 purendis (f4fd591e86ecb6b5d000c7d6c987416b) E:\WINDOWS\system32\DRIVERS\purendis.sys
21:43:37.0921 3852 purendis - ok
21:43:38.0000 3852 pwd_2k (070eddd0e4a5be55dd590d8b30dbff22) E:\WINDOWS\system32\drivers\pwd_2k.sys
21:43:38.0000 3852 pwd_2k - ok
21:43:38.0031 3852 ql1080 - ok
21:43:38.0062 3852 Ql10wnt - ok
21:43:38.0078 3852 ql12160 - ok
21:43:38.0109 3852 ql1240 - ok
21:43:38.0125 3852 ql1280 - ok
21:43:38.0187 3852 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) E:\WINDOWS\system32\DRIVERS\rasacd.sys
21:43:38.0187 3852 RasAcd - ok
21:43:38.0250 3852 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) E:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:43:38.0250 3852 Rasl2tp - ok
21:43:38.0281 3852 RasPppoe (7306eeed8895454cbed4669be9f79faa) E:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:43:38.0281 3852 RasPppoe - ok
21:43:38.0328 3852 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) E:\WINDOWS\system32\DRIVERS\raspti.sys
21:43:38.0328 3852 Raspti - ok
21:43:38.0375 3852 Rdbss (29d66245adba878fff574cd66abd2884) E:\WINDOWS\system32\DRIVERS\rdbss.sys
21:43:38.0375 3852 Rdbss - ok
21:43:38.0406 3852 RDPCDD (4912d5b403614ce99c28420f75353332) E:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:43:38.0406 3852 RDPCDD - ok
21:43:38.0484 3852 RDPWD (d4f5643d7714ef499ae9527fdcd50894) E:\WINDOWS\system32\drivers\RDPWD.sys
21:43:38.0484 3852 RDPWD - ok
21:43:38.0546 3852 redbook (b31b4588e4086d8d84adbf9845c2402b) E:\WINDOWS\system32\DRIVERS\redbook.sys
21:43:38.0546 3852 redbook - ok
21:43:38.0687 3852 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) E:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
21:43:38.0703 3852 SASDIFSV - ok
21:43:38.0718 3852 SASKUTIL (61db0d0756a99506207fd724e3692b25) E:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
21:43:38.0718 3852 SASKUTIL - ok
21:43:38.0812 3852 Secdrv (ba0d892d2f786bcebdf03b0a252b47f3) E:\WINDOWS\system32\DRIVERS\secdrv.sys
21:43:38.0812 3852 Secdrv - ok
21:43:38.0890 3852 serenum (a2d868aeeff612e70e213c451a70cafb) E:\WINDOWS\system32\DRIVERS\serenum.sys
21:43:38.0890 3852 serenum - ok
21:43:38.0953 3852 Serial (cd9404d115a00d249f70a371b46d5a26) E:\WINDOWS\system32\DRIVERS\serial.sys
21:43:38.0953 3852 Serial - ok
21:43:39.0000 3852 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) E:\WINDOWS\system32\drivers\Sfloppy.sys
21:43:39.0000 3852 Sfloppy - ok
21:43:39.0046 3852 Simbad - ok
21:43:39.0093 3852 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) E:\WINDOWS\system32\DRIVERS\SLIP.sys
21:43:39.0093 3852 SLIP - ok
21:43:39.0125 3852 Sparrow - ok
21:43:39.0187 3852 splitter (8e186b8f23295d1e42c573b82b80d548) E:\WINDOWS\system32\drivers\splitter.sys
21:43:39.0187 3852 splitter - ok
21:43:39.0265 3852 sr (e41b6d037d6cd08461470af04500dc24) E:\WINDOWS\system32\DRIVERS\sr.sys
21:43:39.0265 3852 sr - ok
21:43:39.0328 3852 Srv (7a4f147cc6b133f905f6e65e2f8669fb) E:\WINDOWS\system32\DRIVERS\srv.sys
21:43:39.0328 3852 Srv - ok
21:43:39.0390 3852 streamip (284c57df5dc7abca656bc2b96a667afb) E:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:43:39.0390 3852 streamip - ok
21:43:39.0468 3852 swenum (03c1bae4766e2450219d20b993d6e046) E:\WINDOWS\system32\DRIVERS\swenum.sys
21:43:39.0468 3852 swenum - ok
21:43:39.0531 3852 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) E:\WINDOWS\system32\drivers\swmidi.sys
21:43:39.0531 3852 swmidi - ok
21:43:39.0578 3852 symc810 - ok
21:43:39.0593 3852 symc8xx - ok
21:43:39.0625 3852 sym_hi - ok
21:43:39.0640 3852 sym_u3 - ok
21:43:39.0703 3852 sysaudio (650ad082d46bac0e64c9c0e0928492fd) E:\WINDOWS\system32\drivers\sysaudio.sys
21:43:39.0703 3852 sysaudio - ok
21:43:39.0781 3852 tbcspud (b45259cc19ea0a5b8a407923e03df96c) E:\WINDOWS\system32\drivers\tbcspud.sys
21:43:39.0781 3852 tbcspud - ok
21:43:39.0859 3852 tbcwdm (c7480d4478fa45bc83753e3e0b09cb58) E:\WINDOWS\system32\drivers\tbcwdm.sys
21:43:39.0875 3852 tbcwdm - ok
21:43:39.0953 3852 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) E:\WINDOWS\system32\DRIVERS\tcpip.sys
21:43:40.0031 3852 Tcpip - ok
21:43:40.0171 3852 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) E:\WINDOWS\system32\drivers\TDPIPE.sys
21:43:40.0171 3852 TDPIPE - ok
21:43:40.0265 3852 TDTCP (ed0580af02502d00ad8c4c066b156be9) E:\WINDOWS\system32\drivers\TDTCP.sys
21:43:40.0281 3852 TDTCP - ok
21:43:40.0421 3852 TermDD (a540a99c281d933f3d69d55e48727f47) E:\WINDOWS\system32\DRIVERS\termdd.sys
21:43:40.0421 3852 TermDD - ok
21:43:40.0484 3852 TosIde - ok
21:43:40.0593 3852 UdfReadr_xp (27e66e79fd742c107fdb23280e17d869) E:\WINDOWS\system32\drivers\UdfReadr_xp.sys
21:43:40.0593 3852 UdfReadr_xp - ok
21:43:40.0640 3852 Udfs (12f70256f140cd7d52c58c7048fde657) E:\WINDOWS\system32\drivers\Udfs.sys
21:43:40.0640 3852 Udfs - ok
21:43:40.0671 3852 ultra - ok
21:43:40.0718 3852 Update (aff2e5045961bbc0a602bb6f95eb1345) E:\WINDOWS\system32\DRIVERS\update.sys
21:43:40.0734 3852 Update - ok
21:43:40.0781 3852 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) E:\WINDOWS\system32\Drivers\usbaapl.sys
21:43:40.0781 3852 USBAAPL - ok
21:43:40.0828 3852 usbaudio (45a0d14b26c35497ad93bce7e15c9941) E:\WINDOWS\system32\drivers\usbaudio.sys
21:43:40.0828 3852 usbaudio - ok
21:43:40.0890 3852 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) E:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:43:40.0890 3852 usbccgp - ok
21:43:40.0937 3852 usbhub (c72f40947f92cea56a8fb532edf025f1) E:\WINDOWS\system32\DRIVERS\usbhub.sys
21:43:40.0937 3852 usbhub - ok
21:43:41.0015 3852 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) E:\WINDOWS\system32\DRIVERS\usbprint.sys
21:43:41.0015 3852 usbprint - ok
21:43:41.0093 3852 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) E:\WINDOWS\system32\DRIVERS\usbscan.sys
21:43:41.0093 3852 usbscan - ok
21:43:41.0156 3852 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:43:41.0156 3852 USBSTOR - ok
21:43:41.0234 3852 usbuhci (f8fd1400092e23c8f2f31406ef06167b) E:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:43:41.0234 3852 usbuhci - ok
21:43:41.0281 3852 usbvideo (8968ff3973a883c49e8b564200f565b9) E:\WINDOWS\system32\Drivers\usbvideo.sys
21:43:41.0281 3852 usbvideo - ok
21:43:41.0328 3852 VgaSave (8a60edd72b4ea5aea8202daf0e427925) E:\WINDOWS\System32\drivers\vga.sys
21:43:41.0343 3852 VgaSave - ok
21:43:41.0359 3852 ViaIde - ok
21:43:41.0406 3852 VolSnap (ee4660083deba849ff6c485d944b379b) E:\WINDOWS\system32\drivers\VolSnap.sys
21:43:41.0406 3852 VolSnap - ok
21:43:41.0500 3852 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) E:\WINDOWS\system32\DRIVERS\wanarp.sys
21:43:41.0500 3852 Wanarp - ok
21:43:41.0531 3852 WDICA - ok
21:43:41.0593 3852 wdmaud (2797f33ebf50466020c430ee4f037933) E:\WINDOWS\system32\drivers\wdmaud.sys
21:43:41.0593 3852 wdmaud - ok
21:43:41.0734 3852 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) E:\WINDOWS\System32\drivers\ws2ifsl.sys
21:43:41.0750 3852 WS2IFSL - ok
21:43:41.0812 3852 WSTCODEC (d5842484f05e12121c511aa93f6439ec) E:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:43:41.0812 3852 WSTCODEC - ok
21:43:41.0890 3852 WUSB54GCv3 (326c012c7fe573829871fe9c9e41cf9b) E:\WINDOWS\system32\DRIVERS\WUSB54GCv3.sys
21:43:41.0906 3852 WUSB54GCv3 - ok
21:43:42.0015 3852 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:43:42.0265 3852 \Device\Harddisk0\DR0 - ok
21:43:42.0296 3852 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk1\DR1
21:43:42.0953 3852 \Device\Harddisk1\DR1 ( TDSS File System ) - warning
21:43:42.0953 3852 \Device\Harddisk1\DR1 - detected TDSS File System (1)
21:43:43.0000 3852 Boot (0x1200) (7de2bdf2ef58815b8f572f67bb10d4e9) \Device\Harddisk0\DR0\Partition0
21:43:43.0000 3852 \Device\Harddisk0\DR0\Partition0 - ok
21:43:43.0046 3852 Boot (0x1200) (e83115383f27c3499be9c20c26f6389e) \Device\Harddisk1\DR1\Partition0
21:43:43.0046 3852 \Device\Harddisk1\DR1\Partition0 - ok
21:43:43.0062 3852 ============================================================
21:43:43.0062 3852 Scan finished
21:43:43.0062 3852 ============================================================
21:43:43.0078 1128 Detected object count: 1
21:43:43.0078 1128 Actual detected object count: 1
21:44:18.0140 1128 \Device\Harddisk1\DR1\TDLFS\phm - copied to quarantine
21:44:18.0218 1128 \Device\Harddisk1\DR1\TDLFS\ph.dll - copied to quarantine
21:44:18.0234 1128 \Device\Harddisk1\DR1\TDLFS\phx.dll - copied to quarantine
21:44:18.0328 1128 \Device\Harddisk1\DR1\TDLFS\phd - copied to quarantine
21:44:18.0421 1128 \Device\Harddisk1\DR1\TDLFS\phdx - copied to quarantine
21:44:18.0437 1128 \Device\Harddisk1\DR1\TDLFS\phs - copied to quarantine
21:44:18.0453 1128 \Device\Harddisk1\DR1\TDLFS\phdata - copied to quarantine
21:44:19.0031 1128 \Device\Harddisk1\DR1\TDLFS\phld - copied to quarantine
21:44:19.0281 1128 \Device\Harddisk1\DR1\TDLFS\phln - copied to quarantine
21:44:19.0312 1128 \Device\Harddisk1\DR1\TDLFS\phlx - copied to quarantine
21:44:19.0312 1128 \Device\Harddisk1\DR1\TDLFS - deleted
21:44:19.0343 1128 \Device\Harddisk1\DR1 ( TDSS File System ) - User select action: Delete

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:54 AM

Posted 25 February 2012 - 10:53 PM

Hi

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Havl

Havl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 26 February 2012 - 03:26 AM

OK, here's the Malwarebytes log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.25.06

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Henry :: DIMENSION4500 [administrator]

2/25/2012 10:13:00 PM
mbam-log-2012-02-25 (22-13-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188368
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

And here's the ESET log:

E:\Documents and Settings\Henry\Application Data\MediaWmplay\FlashPlugin\FlashUtil181_ActiveX.exe a variant of Win32/Clemag.NAD trojan
E:\Qoobox\Quarantine\E\Documents and Settings\All Users\Application Data\3CvHZjcTjm8G6p.exe.vir a variant of Win32/Kryptik.WKH trojan
E:\System Volume Information\_restore{DB837301-7822-451C-A0A9-63D984994C9F}\RP578\A0077440.exe a variant of Win32/Kryptik.WKH trojan
E:\System Volume Information\_restore{DB837301-7822-451C-A0A9-63D984994C9F}\RP578\A0078892.sys a variant of Win32/Kryptik.ZBN trojan
E:\System Volume Information\_restore{DB837301-7822-451C-A0A9-63D984994C9F}\RP578\A0078923.sys a variant of Win32/Kryptik.ZBN trojan
E:\System Volume Information\_restore{DB837301-7822-451C-A0A9-63D984994C9F}\RP578\A0079923.sys a variant of Win32/Kryptik.ZBN trojan
E:\System Volume Information\_restore{DB837301-7822-451C-A0A9-63D984994C9F}\RP578\A0080170.sys a variant of Win32/Kryptik.ZBN trojan
E:\System Volume Information\_restore{DB837301-7822-451C-A0A9-63D984994C9F}\RP578\A0087048.exe a variant of Win32/Kryptik.ABDX trojan
E:\TDSSKiller_Quarantine\24.02.2012_23.56.35\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan
E:\TDSSKiller_Quarantine\24.02.2012_23.56.35\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan
E:\TDSSKiller_Quarantine\24.02.2012_23.56.35\mbr0000\tdlfs0000\tsk0003.dta a variant of Win32/Rootkit.Kryptik.JG trojan
E:\TDSSKiller_Quarantine\24.02.2012_23.56.35\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan
E:\TDSSKiller_Quarantine\24.02.2012_23.56.35\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan
E:\TDSSKiller_Quarantine\24.02.2012_23.56.35\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan
E:\TDSSKiller_Quarantine\25.02.2012_21.42.55\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan
E:\TDSSKiller_Quarantine\25.02.2012_21.42.55\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan
E:\TDSSKiller_Quarantine\25.02.2012_21.42.55\tdlfs0000\tsk0003.dta a variant of Win32/Rootkit.Kryptik.JG trojan
E:\TDSSKiller_Quarantine\25.02.2012_21.42.55\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan
E:\TDSSKiller_Quarantine\25.02.2012_21.42.55\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan
E:\TDSSKiller_Quarantine\25.02.2012_21.42.55\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:54 AM

Posted 26 February 2012 - 09:53 AM

Hi

Please do the following:

Posted Image Your Java is out of date.
Java™ 6 Update 16 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Havl

Havl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 26 February 2012 - 10:30 AM

I'm still unable to connect to Google. I get the message "the connection has timed out," but other websites are loading as normal. Here's the new DDS log:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Henry at 9:24:26 on 2012-02-26
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639.103 [GMT -6:00]
.
.
============== Running Processes ===============
.
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
svchost.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\WINDOWS\System32\svchost.exe -k HPZ12
E:\WINDOWS\System32\svchost.exe -k imgsvc
E:\Program Files\WZCBDL Service\WZCBDLS.exe
E:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\BCMSMMSG.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\D-Link\Air USB Utility\AirCFG.exe
E:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
E:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
E:\WINDOWS\system32\tbctray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Mozilla Firefox\plugin-container.exe
E:\WINDOWS\system32\msiexec.exe
E:\Program Files\Java\jre6\bin\jqs.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [Microsoft Works Update Detection] e:\program files\microsoft works\WkDetect.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [IntelliPoint] "e:\program files\microsoft intellipoint\ipoint.exe"
mRun: [D-Link Air USB Utility] e:\program files\d-link\air usb utility\AirCFG.exe
mRun: [nmctxth] "e:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "e:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [Microsoft Works Update Detection] e:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [HP Software Update] e:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechQuickCamRibbon] "e:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [StartCCC] "e:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Carbonite Backup] e:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [TraySantaCruz] e:\windows\system32\tbctray.exe
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://e:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268885209821
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E11F2F2D-A313-4032-8B8C-53252003361F} : DhcpNameServer = 192.168.1.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - e:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - e:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - e:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL
Hosts: 94.63.240.135 www.google.com
Hosts: 94.63.240.136 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\documents and settings\henry\application data\mozilla\firefox\profiles\5yo9iwqt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: e:\documents and settings\henry\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: e:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;e:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 NIOC;NIOC Service;e:\windows\system32\NIOC.sys [2002-9-27 22912]
R2 WZCBDLService;WZCBDL Service;e:\program files\wzcbdl service\WZCBDLS.exe [2002-3-19 36864]
R3 tbcspud;Santa Cruz Driver;e:\windows\system32\drivers\tbcspud.sys [2010-3-18 144768]
R3 tbcwdm;Santa Cruz WDM Driver;e:\windows\system32\drivers\tbcwdm.sys [2010-3-18 545088]
R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;e:\windows\system32\drivers\WUSB54GCv3.sys [2011-3-1 627072]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\e:\program files\lavasoft\ad-aware\kernexplorer.sys --> e:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 PRISM_USB;D-Link Air Wireless USB Adapter Driver;e:\windows\system32\drivers\PRISMUSB.sys [2003-10-2 666624]
.
=============== Created Last 30 ================
.
2012-02-26 15:22:20 73728 ----a-w- e:\windows\system32\javacpl.cpl
2012-02-26 15:22:20 476904 ----a-w- e:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-02-26 15:22:20 472808 ----a-w- e:\windows\system32\deployJava1.dll
2012-02-25 05:57:01 -------- d-----w- E:\TDSSKiller_Quarantine
2012-02-24 05:18:34 98816 ----a-w- e:\windows\sed.exe
2012-02-24 05:18:34 518144 ----a-w- e:\windows\SWREG.exe
2012-02-24 05:18:34 256000 ----a-w- e:\windows\PEV.exe
2012-02-24 05:18:34 208896 ----a-w- e:\windows\MBR.exe
2012-02-18 22:24:55 -------- d-----w- e:\documents and settings\henry\application data\MediaWmplay
.
==================== Find3M ====================
.
2011-12-14 16:49:27 187776 ----a-w- e:\windows\system32\drivers\acpi.sys
2011-12-10 21:24:06 20464 ----a-w- e:\windows\system32\drivers\mbam.sys
2011-12-02 15:44:17 57472 ----a-w- e:\windows\system32\drivers\redbook.sys
.
============= FINISH: 9:25:08.96 ===============

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:54 AM

Posted 26 February 2012 - 10:44 AM

Hi

Please run the following:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /rp /s
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Havl

Havl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 26 February 2012 - 10:55 AM

Here's the OTL.txt file:

OTL logfile created on: 2/26/2012 9:48:26 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = E:\Documents and Settings\Henry\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

638.80 Mb Total Physical Memory | 131.80 Mb Available Physical Memory | 20.63% Memory free
1.53 Gb Paging File | 1.14 Gb Available in Paging File | 75.04% Paging File free
Paging file location(s): E:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 189.92 Gb Total Space | 24.45 Gb Free Space | 12.87% Space Free | Partition Type: NTFS
Drive D: | 634.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 127.99 Gb Total Space | 101.82 Gb Free Space | 79.56% Space Free | Partition Type: NTFS

Computer Name: DIMENSION4500 | User Name: Henry | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/26 09:47:19 | 000,583,680 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Henry\Desktop\OTL.exe
PRC - [2011/12/05 20:41:32 | 004,426,384 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) -- E:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
PRC - [2011/12/05 20:41:32 | 001,059,472 | R--- | M] (Carbonite, Inc.) -- E:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
PRC - [2009/02/16 03:44:55 | 001,358,384 | R--- | M] (Linksys, LLC) -- E:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- E:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- E:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2004/08/04 01:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) -- E:\WINDOWS\explorer.exe
PRC - [2003/07/23 07:21:22 | 002,695,168 | ---- | M] (D-Link) -- E:\Program Files\D-Link\Air USB Utility\AirCFG.exe
PRC - [2002/04/17 14:51:08 | 000,290,816 | ---- | M] (Voyetra Turtle Beach, Inc.) -- E:\WINDOWS\system32\tbctray.exe
PRC - [2002/03/19 11:15:46 | 000,036,864 | ---- | M] (D-Link) -- E:\Program Files\WZCBDL Service\WZCBDLS.exe


========== Modules (No Company Name) ==========

MOD - [2010/03/15 10:28:22 | 000,141,824 | ---- | M] () -- E:\Program Files\WinRAR\RarExt.dll
MOD - [2008/12/12 18:11:26 | 000,148,480 | ---- | M] () -- E:\Program Files\Common Files\Pure Networks Shared\Platform\CAntiVirusCOM.dll
MOD - [2008/12/12 18:11:26 | 000,097,280 | ---- | M] () -- E:\Program Files\Common Files\Pure Networks Shared\Platform\CFirewallCOM.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (wuauserv)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/12/05 20:41:32 | 004,426,384 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) [Auto | Running] -- E:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe -- (CarboniteService)
SRV - [2009/10/07 00:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- E:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- E:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2002/03/19 11:15:46 | 000,036,864 | ---- | M] (D-Link) [Auto | Start_Pending] -- E:\Program Files\WZCBDL Service\WZCBDLS.exe -- (WZCBDLService)


========== Driver Services (SafeList) ==========

DRV - [2011/11/09 21:42:12 | 007,493,120 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2010/05/10 12:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- E:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/17 21:35:44 | 000,059,440 | ---- | M] (Roxio) [Kernel | System | Running] -- E:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2010/03/17 21:35:44 | 000,023,724 | ---- | M] (Roxio) [Kernel | System | Running] -- E:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2010/02/17 12:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- E:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/10/07 02:49:50 | 000,023,832 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2009/10/07 02:47:54 | 000,266,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/10/07 00:46:36 | 000,025,752 | ---- | M] () [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/12/12 18:05:20 | 000,025,264 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- E:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2008/12/12 18:05:18 | 000,023,984 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- E:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2008/12/04 07:17:15 | 000,627,072 | R--- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\WUSB54GCv3.sys -- (WUSB54GCv3)
DRV - [2004/08/04 00:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2003/10/02 14:47:14 | 000,666,624 | ---- | M] (GlobespanVirata, Inc.) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\PRISMUSB.sys -- (PRISM_USB)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2002/09/27 17:21:26 | 000,022,912 | ---- | M] (D-Link Corporation) [Kernel | Auto | Running] -- E:\WINDOWS\system32\NIOC.sys -- (NIOC)
DRV - [2002/04/17 14:51:08 | 000,545,088 | ---- | M] (Voyetra Turtle Beach) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\tbcwdm.sys -- (tbcwdm)
DRV - [2002/04/17 14:51:08 | 000,144,768 | ---- | M] (Voyetra Turtle Beach) [Kernel | On_Demand | Running] -- E:\WINDOWS\system32\drivers\tbcspud.sys -- (tbcspud)
DRV - [2002/04/10 17:01:12 | 000,024,554 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/04/10 17:01:00 | 000,029,638 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- E:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/04/10 17:00:44 | 000,117,898 | ---- | M] (Roxio) [Kernel | System | Running] -- E:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2002/04/10 16:48:04 | 000,236,032 | ---- | M] (Roxio) [File_System | System | Running] -- E:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/04/10 16:45:16 | 000,206,336 | ---- | M] (Roxio) [File_System | System | Running] -- E:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2001/08/17 06:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Stopped] -- E:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = my.daemon-search.com
IE - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: E:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: E:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: e:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: e:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: E:\Program Files\Yahoo!\Common\npyaxmpb.dll File not found
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: E:\Documents and Settings\Henry\Application Data\Facebook\npfbplugin_1_0_3.dll ( )

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: E:\Program Files\Mozilla Firefox\components [2012/02/18 20:00:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: E:\Program Files\Mozilla Firefox\plugins [2012/02/26 09:22:20 | 000,000,000 | ---D | M]

[2010/03/18 09:46:18 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Henry\Application Data\Mozilla\Extensions
[2011/05/28 07:53:26 | 000,000,000 | ---D | M] (No name found) -- E:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\5yo9iwqt.default\extensions
[2010/07/22 08:19:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- E:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\5yo9iwqt.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/02/26 09:22:21 | 000,000,000 | ---D | M] (No name found) -- E:\Program Files\Mozilla Firefox\extensions
[2012/02/26 09:22:22 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/02/26 09:22:02 | 000,000,000 | ---D | M] (Java Quick Starter) -- E:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/02/18 20:00:55 | 000,134,104 | ---- | M] (Mozilla Foundation) -- E:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/26 09:22:01 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/01/29 07:36:35 | 000,002,252 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/29 07:36:35 | 000,002,040 | ---- | M] () -- E:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/20 05:52:36 | 000,000,884 | RH-- | M]) - E:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 94.63.240.135 www.google.com
O1 - Hosts: 94.63.240.136 www.bing.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Carbonite Backup] E:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [D-Link Air USB Utility] E:\Program Files\D-Link\Air USB Utility\AirCFG.exe (D-Link)
O4 - HKLM..\Run: [Linksys Wireless Manager] E:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe (Linksys, LLC)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] E:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
O4 - HKLM..\Run: [nmctxth] E:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [StartCCC] E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [TraySantaCruz] E:\WINDOWS\system32\tbctray.exe (Voyetra Turtle Beach, Inc.)
O4 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004..\Run: [Microsoft Works Update Detection] E:\Program Files\Microsoft Works\WkDetect.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - E:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268885209821 (WUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: Microsoft XML Parser for Java file://E:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E11F2F2D-A313-4032-8B8C-53252003361F}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - E:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - E:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (E:\WINDOWS\system32\userinit.exe) - E:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (E:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - E:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - E:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: E:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: E:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/17 14:33:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 15:42:40 | 000,000,062 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2001/08/09 17:50:30 | 000,253,952 | R--- | M] () - D:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2001/08/23 15:50:16 | 000,000,000 | R--D | M] - D:\autorun -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: wuauserv - File not found

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2012/02/26 09:47:21 | 000,583,680 | ---- | C] (OldTimer Tools) -- E:\Documents and Settings\Henry\Desktop\OTL.exe
[2012/02/26 09:22:38 | 000,000,000 | ---D | C] -- E:\Documents and Settings\All Users\Application Data\Sun
[2012/02/26 09:22:37 | 000,000,000 | ---D | C] -- E:\Program Files\Common Files\Java
[2012/02/24 23:57:01 | 000,000,000 | ---D | C] -- E:\TDSSKiller_Quarantine
[2012/02/23 23:18:34 | 000,518,144 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWREG.exe
[2012/02/23 23:18:34 | 000,406,528 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWSC.exe
[2012/02/23 23:18:34 | 000,212,480 | ---- | C] (SteelWerX) -- E:\WINDOWS\SWXCACLS.exe
[2012/02/23 23:18:34 | 000,060,416 | ---- | C] (NirSoft) -- E:\WINDOWS\NIRCMD.exe
[2012/02/18 16:24:55 | 000,000,000 | ---D | C] -- E:\Documents and Settings\Henry\Application Data\MediaWmplay

========== Files - Modified Within 30 Days ==========

[2012/02/26 09:47:19 | 000,583,680 | ---- | M] (OldTimer Tools) -- E:\Documents and Settings\Henry\Desktop\OTL.exe
[2012/02/26 08:45:21 | 000,002,048 | --S- | M] () -- E:\WINDOWS\bootstat.dat
[2012/02/25 19:23:31 | 000,000,475 | ---- | M] () -- E:\Documents and Settings\Henry\Desktop\Shortcut to ComboFix.lnk
[2012/02/18 20:43:33 | 000,000,784 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/18 16:16:53 | 000,002,206 | ---- | M] () -- E:\WINDOWS\System32\wpa.dbl
[2012/02/13 20:38:37 | 000,024,391 | ---- | M] () -- E:\Documents and Settings\Henry\Desktop\Katie-Homes-Bob-fb-44939204.jpg
[2012/02/09 09:23:50 | 000,251,088 | ---- | M] () -- E:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/08 14:35:10 | 000,054,196 | -H-- | M] () -- E:\WINDOWS\System32\mlfcache.dat
[2012/01/31 13:03:57 | 000,000,724 | ---- | M] () -- E:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

========== Files Created - No Company Name ==========

[2012/02/25 19:23:31 | 000,000,475 | ---- | C] () -- E:\Documents and Settings\Henry\Desktop\Shortcut to ComboFix.lnk
[2012/02/23 23:18:34 | 000,256,000 | ---- | C] () -- E:\WINDOWS\PEV.exe
[2012/02/23 23:18:34 | 000,208,896 | ---- | C] () -- E:\WINDOWS\MBR.exe
[2012/02/23 23:18:34 | 000,098,816 | ---- | C] () -- E:\WINDOWS\sed.exe
[2012/02/23 23:18:34 | 000,080,412 | ---- | C] () -- E:\WINDOWS\grep.exe
[2012/02/23 23:18:34 | 000,068,096 | ---- | C] () -- E:\WINDOWS\zip.exe
[2012/02/18 20:43:33 | 000,000,784 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/13 20:38:36 | 000,024,391 | ---- | C] () -- E:\Documents and Settings\Henry\Desktop\Katie-Homes-Bob-fb-44939204.jpg
[2012/01/31 13:03:57 | 000,000,724 | ---- | C] () -- E:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/12/14 12:18:00 | 000,000,664 | ---- | C] () -- E:\WINDOWS\System32\d3d9caps.dat
[2011/12/12 13:34:00 | 000,001,550 | -HS- | C] () -- E:\Documents and Settings\Henry\Local Settings\Application Data\qvyscj4q0jdt0spj1als1i672e0y
[2011/12/12 13:34:00 | 000,001,550 | -HS- | C] () -- E:\Documents and Settings\All Users\Application Data\qvyscj4q0jdt0spj1als1i672e0y
[2011/12/02 00:32:38 | 000,000,344 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\3CvHZjcTjm8G6p
[2011/11/09 22:39:44 | 000,059,904 | ---- | C] () -- E:\WINDOWS\System32\OpenVideo.dll
[2011/11/09 22:39:32 | 000,054,784 | ---- | C] () -- E:\WINDOWS\System32\OVDecode.dll
[2011/09/14 09:57:30 | 000,136,562 | ---- | C] () -- E:\WINDOWS\hphins33.dat
[2011/09/14 09:57:30 | 000,000,512 | ---- | C] () -- E:\WINDOWS\hphmdl33.dat
[2011/08/18 20:24:56 | 000,015,062 | -HS- | C] () -- E:\Documents and Settings\Henry\Local Settings\Application Data\lm0cx02atc43832aq1p34v2o514n5p724071y0c8m1qpx
[2011/08/18 20:24:56 | 000,015,062 | -HS- | C] () -- E:\Documents and Settings\All Users\Application Data\lm0cx02atc43832aq1p34v2o514n5p724071y0c8m1qpx
[2011/08/08 12:59:59 | 000,000,049 | ---- | C] () -- E:\Documents and Settings\Henry\Application Data\quidditch3d.cfg
[2011/07/05 12:50:23 | 000,136,083 | ---- | C] () -- E:\WINDOWS\hphins33.dat.temp
[2011/07/05 12:50:23 | 000,000,512 | ---- | C] () -- E:\WINDOWS\hphmdl33.dat.temp
[2011/06/04 22:48:19 | 000,000,064 | ---- | C] () -- E:\WINDOWS\System32\rp_stats.dat
[2011/06/04 22:48:19 | 000,000,044 | ---- | C] () -- E:\WINDOWS\System32\rp_rules.dat
[2011/05/28 07:49:20 | 000,000,136 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\~14475044r
[2011/05/28 07:49:19 | 000,000,104 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\~14475044
[2011/05/28 07:48:51 | 000,000,344 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\14475044
[2011/03/01 11:39:49 | 000,015,312 | R--- | C] () -- E:\WINDOWS\System32\RaCoInst.dat
[2010/11/04 23:05:53 | 000,040,960 | ---- | C] () -- E:\Documents and Settings\Henry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/03 12:12:30 | 000,082,289 | ---- | C] () -- E:\WINDOWS\System32\lvcoinst.ini
[2010/06/12 02:14:11 | 000,005,093 | ---- | C] () -- E:\WINDOWS\cdplayer.ini
[2010/05/26 21:29:55 | 000,054,196 | -H-- | C] () -- E:\WINDOWS\System32\mlfcache.dat
[2010/05/08 16:56:07 | 000,000,462 | ---- | C] () -- E:\WINDOWS\EAGRAPH.INI
[2010/03/20 01:45:42 | 000,000,260 | ---- | C] () -- E:\WINDOWS\_delis32.ini
[2010/03/20 01:45:41 | 000,001,071 | ---- | C] () -- E:\WINDOWS\_isenv31.ini
[2010/03/18 09:46:15 | 000,000,000 | ---- | C] () -- E:\WINDOWS\nsreg.dat
[2010/03/18 03:06:36 | 000,000,012 | ---- | C] () -- E:\WINDOWS\WinInit.INI
[2010/03/17 23:56:36 | 000,887,724 | ---- | C] () -- E:\WINDOWS\System32\ativva6x.dat
[2010/03/17 23:56:36 | 000,243,168 | ---- | C] () -- E:\WINDOWS\System32\atiicdxx.dat
[2010/03/17 23:56:36 | 000,000,003 | ---- | C] () -- E:\WINDOWS\System32\ativva5x.dat
[2010/03/17 23:34:40 | 000,000,000 | ---- | C] () -- E:\WINDOWS\ativpsrm.bin
[2010/03/17 22:22:56 | 000,004,569 | ---- | C] () -- E:\WINDOWS\System32\secupd.dat
[2010/03/17 21:43:12 | 000,000,376 | ---- | C] () -- E:\WINDOWS\ODBC.INI
[2010/03/17 21:35:44 | 000,053,248 | ---- | C] () -- E:\WINDOWS\uneng.exe
[2010/03/17 14:37:52 | 000,006,550 | ---- | C] () -- E:\WINDOWS\jautoexp.dat
[2010/03/17 14:35:45 | 000,002,048 | --S- | C] () -- E:\WINDOWS\bootstat.dat
[2010/03/17 14:30:44 | 000,021,640 | ---- | C] () -- E:\WINDOWS\System32\emptyregdb.dat
[2010/03/17 07:22:59 | 000,004,161 | ---- | C] () -- E:\WINDOWS\ODBCINST.INI
[2010/03/17 07:22:09 | 000,251,088 | ---- | C] () -- E:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2012/01/15 22:26:50 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\Carbonite
[2011/05/30 01:09:19 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\cFgAcDbDeMn06504
[2011/01/14 19:34:48 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2012/02/04 10:12:58 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\Drumsite
[2011/11/29 03:49:01 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\GoldWave
[2010/09/26 21:22:20 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\MediaMall
[2010/05/15 18:12:53 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/01/05 10:48:07 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\.minecraft
[2011/08/08 12:46:17 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\CrystalSpace
[2011/01/14 19:34:45 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\DAEMON Tools Lite
[2010/06/12 09:28:15 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\Facebook
[2010/05/08 19:28:52 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\FinalMediaPlayer
[2010/03/28 21:21:50 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\gtk-2.0
[2010/10/05 20:57:33 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\Jasc
[2010/11/03 12:14:07 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\Leadertech
[2012/02/07 13:04:55 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\LEGO Company
[2012/02/20 11:37:51 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\MediaWmplay
[2010/11/27 20:36:51 | 000,000,000 | ---D | M] -- E:\Documents and Settings\Henry\Application Data\REAPER

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[2002/06/25 15:38:03 | 001,000,960 | ---- | M] (Microsoft Corporation) MD5=5A26FC6010886D25B3E412493DD95ED8 -- E:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 01:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- E:\WINDOWS\ERDNT\cache\explorer.exe
[2004/08/04 01:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- E:\WINDOWS\explorer.exe
[2004/08/04 01:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- E:\WINDOWS\ServicePackFiles\i386\explorer.exe

< MD5 for: SVCHOST.EXE >
[2002/06/25 15:47:31 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- E:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2008/04/13 18:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
[2004/08/04 01:56:57 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- E:\WINDOWS\ERDNT\cache\svchost.exe
[2004/08/04 01:56:57 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- E:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2004/08/04 01:56:57 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- E:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 01:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- E:\WINDOWS\ERDNT\cache\userinit.exe
[2004/08/04 01:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- E:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2004/08/04 01:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- E:\WINDOWS\system32\userinit.exe
[2002/06/25 15:48:55 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=585398603F570F9705774D65D292E5D1 -- E:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 18:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 01:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- E:\WINDOWS\ERDNT\cache\winlogon.exe
[2004/08/04 01:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- E:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2004/08/04 01:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- E:\WINDOWS\system32\winlogon.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- E:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2002/06/25 15:50:29 | 000,429,056 | ---- | M] (Microsoft Corporation) MD5=C605FFF733AAD029D6B533E609C8A6E6 -- E:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 18:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- E:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe

< %systemroot%\*. /rp /s >

< End of report >


And here's the Extras.txt file:

OTL Extras logfile created on: 2/26/2012 9:48:26 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = E:\Documents and Settings\Henry\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

638.80 Mb Total Physical Memory | 131.80 Mb Available Physical Memory | 20.63% Memory free
1.53 Gb Paging File | 1.14 Gb Available in Paging File | 75.04% Paging File free
Paging file location(s): E:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\WINDOWS | %ProgramFiles% = E:\Program Files
Drive C: | 189.92 Gb Total Space | 24.45 Gb Free Space | 12.87% Space Free | Partition Type: NTFS
Drive D: | 634.94 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 127.99 Gb Total Space | 101.82 Gb Free Space | 79.56% Space Free | Partition Type: NTFS

Computer Name: DIMENSION4500 | User Name: Henry | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-839522115-1336601894-1801674531-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- E:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0
"UPDATESDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe
"E:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = E:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe
"E:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = E:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe
"E:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = E:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe
"E:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe" = E:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Co.)
"E:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = E:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe
"E:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe" = E:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe:*:Enabled:hpqgpc01.exe
"E:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = E:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe
"E:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = E:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe
"E:\Program Files\HP\HP Software Update\HPWUCli.exe" = E:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"E:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = E:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe
"%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\REAPER\reaper.exe" = C:\Program Files\REAPER\reaper.exe:*:Enabled:REAPER -- (Cockos Incorporated)
"C:\Program Files\F1 Challenge 99-02\f1 challenge 99-02.exe" = C:\Program Files\F1 Challenge 99-02\f1 challenge 99-02.exe:*:Enabled:F1 Challenge 99-02 -- (Image Space Incorporated)
"E:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe" = E:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Co.)
"E:\Program Files\HP\HP Software Update\HPWUCli.exe" = E:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"E:\Program Files\Logitech\Vid HD\Vid.exe" = E:\Program Files\Logitech\Vid HD\Vid.exe:*:Enabled:Logitech Vid HD -- (Logitech Inc.)
"%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01BECA44-450D-ACCF-AFC3-03FF6B009B63}" = Catalyst Control Center
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{190BFE74-D73A-C8E5-CD90-CD872449C8D1}" = Catalyst Control Center InstallProxy
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26595B84-25F5-43E2-9696-B1720E813850}" = WZCBDL Service
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2CA94ED4-F38D-44B4-A79D-E5835E276EFC}" = Air USB Utility
"{2ECA81CA-D932-4AD3-AD59-BF5CCF099C83}" = Catalyst Control Center - Branding
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F1A3608-87BB-5172-2B97-8B7FB632DED4}" = AMD Catalyst Install Manager
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54F6C98F-94A0-421C-B90E-0B6A2A96A9CF}" = Pure Networks Platform
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5BF5F9C5-E95B-4AFA-94BE-F2A9CA73B61D}" = Apple Mobile Device Support
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{60FFB3E0-6D5B-4D73-AE5B-07E58B83AF0C}" = 32 Bit HP CIO Components Installer
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{7057ABC2-EFF3-4E43-9806-8BCB6EEA9FE6}" = Microsoft IntelliPoint 7.1
"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{860FB617-F27B-7C53-4766-4063015CEBD9}" = Catalyst Control Center Localization All
"{8686D4FE-62EF-46FB-B9FD-00679EB381FF}_is1" = Trojan Killer 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96178C0A-BAF9-4E49-A2A5-CDE76722105B}" = HP Deskjet D1600 Printer Driver 14.0 Rel. 6
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D58580-EA01-11D3-9318-008048B86EFE}" = Turtle Beach Santa Cruz Driver
"{AAD47011-8518-4608-9656-951DA35B587B}" = iTunes
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{B0E4B690-8C1A-3AFC-93B1-FE44CC6AC451}" = ccc-utility
"{BCF4E5BE-C249-4ED3-BA3B-C4257C743995}" = NIOC Service
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
"{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
"{C9B2F671-870B-43A0-8B9D-7DB30CEBD87E}" = DJ_SF_06_D1600_SW_Min
"{CBC800C4-1FD0-B310-F4A4-97741501CE09}" = CCC Help English
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEC9FC3D-7EE9-F5B5-EE4A-4EEF486E70A1}" = Catalyst Control Center Graphics Previews Common
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"Carbonite Backup" = Carbonite
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ESET Online Scanner" = ESET Online Scanner v3
"Finale NotePad 2006" = Finale NotePad 2006
"GoldWave v5.58" = GoldWave v5.58
"HP Print Projects" = HP Print Projects 1.0
"InstallShield_{26595B84-25F5-43E2-9696-B1720E813850}" = WZCBDL Service
"InstallShield_{2CA94ED4-F38D-44B4-A79D-E5835E276EFC}" = Air USB Utility
"InstallShield_{BCF4E5BE-C249-4ED3-BA3B-C4257C743995}" = NIOC Service
"Linksys Wireless Manager" = Linksys Wireless Manager
"Logitech Vid" = Logitech Vid HD
"lvdrivers_12.10" = Logitech Webcam Software Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 10.0.2 (x86 en-US)" = Mozilla Firefox 10.0.2 (x86 en-US)
"MVApplication1" = Memorex exPressit Label Design Studio
"REAPER" = REAPER
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver
"Works2002Setup" = Microsoft Works 2002 Setup Launcher

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-839522115-1336601894-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Episode 2" = Back to the Future The Game - Episode 2
"Episode 3" = Back to the Future The Game - Episode 3
"Episode 4" = Back to the Future The Game - Episode 4
"Episode 5" = Back to the Future The Game - Episode 5
"Facebook Plug-In" = Facebook Plug-In
"New LEGO Digital Designer" = LEGO Digital Designer

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:54 AM

Posted 26 February 2012 - 11:03 AM

Hi,

Please run the following:

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    O1 - Hosts: 94.63.240.135 www.google.com
    O1 - Hosts: 94.63.240.136 www.bing.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
    O3 - HKU\S-1-5-21-839522115-1336601894-1801674531-1004\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    [2011/12/12 13:34:00 | 000,001,550 | -HS- | C] () -- E:\Documents and Settings\Henry\Local Settings\Application Data\qvyscj4q0jdt0spj1als1i672e0y
    [2011/12/12 13:34:00 | 000,001,550 | -HS- | C] () -- E:\Documents and Settings\All Users\Application Data\qvyscj4q0jdt0spj1als1i672e0y
    [2011/12/02 00:32:38 | 000,000,344 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\3CvHZjcTjm8G6p
    [2011/08/18 20:24:56 | 000,015,062 | -HS- | C] () -- E:\Documents and Settings\Henry\Local Settings\Application Data\lm0cx02atc43832aq1p34v2o514n5p724071y0c8m1qpx
    [2011/08/18 20:24:56 | 000,015,062 | -HS- | C] () -- E:\Documents and Settings\All Users\Application Data\lm0cx02atc43832aq1p34v2o514n5p724071y0c8m1qpx
    [2011/05/28 07:49:20 | 000,000,136 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\~14475044r
    [2011/05/28 07:49:19 | 000,000,104 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\~14475044
    [2011/05/28 07:48:51 | 000,000,344 | ---- | C] () -- E:\Documents and Settings\All Users\Application Data\14475044
    [2011/05/30 01:09:19 | 000,000,000 | ---D | M] -- E:\Documents and Settings\All Users\Application Data\cFgAcDbDeMn06504
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log

You should now be able to access google, let me know if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Havl

Havl
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:54 AM

Posted 26 February 2012 - 12:07 PM

Excellent! Yes, I'm able to access Google. Computer seems to be functioning as normal. Here's the log from OTL;

All processes killed
========== OTL ==========
94.63.240.135 www.google.com removed from HOSTS file successfully
94.63.240.136 www.bing.com removed from HOSTS file successfully
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-839522115-1336601894-1801674531-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
Registry value HKEY_USERS\S-1-5-21-839522115-1336601894-1801674531-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
E:\Documents and Settings\Henry\Local Settings\Application Data\qvyscj4q0jdt0spj1als1i672e0y moved successfully.
E:\Documents and Settings\All Users\Application Data\qvyscj4q0jdt0spj1als1i672e0y moved successfully.
E:\Documents and Settings\All Users\Application Data\3CvHZjcTjm8G6p moved successfully.
E:\Documents and Settings\Henry\Local Settings\Application Data\lm0cx02atc43832aq1p34v2o514n5p724071y0c8m1qpx moved successfully.
E:\Documents and Settings\All Users\Application Data\lm0cx02atc43832aq1p34v2o514n5p724071y0c8m1qpx moved successfully.
E:\Documents and Settings\All Users\Application Data\~14475044r moved successfully.
E:\Documents and Settings\All Users\Application Data\~14475044 moved successfully.
E:\Documents and Settings\All Users\Application Data\14475044 moved successfully.
Folder E:\Documents and Settings\All Users\Application Data\cFgAcDbDeMn06504\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
E:\Documents and Settings\Henry\Desktop\cmd.bat deleted successfully.
E:\Documents and Settings\Henry\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
E:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Henry
->Temp folder emptied: 16640778 bytes
->Temporary Internet Files folder emptied: 113497 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 82784460 bytes
->Flash cache emptied: 146486 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 6373 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 24933 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 95.00 mb


OTL by OldTimer - Version 3.2.33.2 log created on 02262012_110303

Files\Folders moved on Reboot...
File\Folder E:\WINDOWS\temp\Perflib_Perfdata_848.dat not found!

Registry entries deleted on Reboot...

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:54 AM

Posted 26 February 2012 - 02:52 PM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the Farbar Service Scanner, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT


Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:54 AM

Posted 03 March 2012 - 06:34 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users