Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.Boot.Pihar.c


  • Please log in to reply
22 replies to this topic

#1 c23dr

c23dr

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 31 December 2012 - 09:11 PM

My mother's desktop was freezing up badly, became unusable, and my brother ran a bunch of stuff in safe mode that found and removed:

Rootkit.Boot.Pihar.c
Trojan.Gen.2
Backdoor.Tidserv
Trojan.Malcol

I don't think the computer is virus free yet, or it's been damaged by the viruses. It still runs slow on the internet and if I try to update/download anything by Adobe, I get errors during installation (something about line 1399 'expected'). I hope someone can help me salvage this computer.

Per the instructions for posting in this forum, I've included DDS logs. Thanks!





DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.10.2
Run by Valarie at 19:36:13 on 2012-12-31
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2314 [GMT -6:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\20.2.0.19\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\20.2.0.19\ips\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.2.0.19\CoIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [tscuninstall] c:\windows\system32\tscupgrd.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1356857863890
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.254.254
TCP: Interfaces\{48FDD51E-B770-49F0-BAD3-6CB90F538E0B} : DHCPNameServer = 192.168.254.254
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1402000.013\SymDS.sys [2012-12-29 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1402000.013\SymEFA.sys [2012-12-29 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.2.0.19\definitions\bashdefs\20121130.005\BHDrvx86.sys [2012-11-29 995488]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1402000.013\ccSetx86.sys [2012-12-29 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1402000.013\Ironx86.sys [2012-12-29 175264]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\20.2.0.19\ccSvcHst.exe [2012-12-29 143928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-15 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.2.0.19\definitions\ipsdefs\20121230.001\IDSXpx86.sys [2012-12-30 373728]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.2.0.19\definitions\virusdefs\20121231.004\NAVENG.SYS [2012-12-31 92704]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.2.0.19\definitions\virusdefs\20121231.004\NAVEX15.SYS [2012-12-31 1601184]
S0 tqsr;tqsr;c:\windows\system32\drivers\goapkqmb.sys --> c:\windows\system32\drivers\goapkqmb.sys [?]
S3 EraserUtilDrv11220;EraserUtilDrv11220;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11220.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11220.sys [?]
.
=============== Created Last 30 ================
.
2013-01-01 01:11:06 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-01 01:04:07 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-01-01 01:04:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-01 01:04:00 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-31 07:54:56 -------- d-----w- c:\windows\system32\LogFiles
2012-12-30 12:48:48 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-12-30 12:48:43 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-12-30 12:48:27 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-12-30 12:47:49 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-12-30 12:47:31 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-12-30 12:45:35 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-12-30 12:45:03 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-12-30 12:42:41 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-12-30 12:42:41 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-12-30 12:42:18 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2012-12-30 12:42:18 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2012-12-30 12:42:18 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2012-12-30 12:42:18 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2012-12-30 12:42:18 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2012-12-30 12:42:18 110592 -c----w- c:\windows\system32\dllcache\services.exe
2012-12-30 12:42:17 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2012-12-30 12:41:47 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2012-12-30 12:40:28 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-12-30 12:40:19 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-12-30 12:40:09 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2012-12-30 12:36:23 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2012-12-30 12:35:48 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-12-30 12:35:46 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-12-30 12:34:41 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2012-12-30 12:34:41 2192896 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-12-30 12:34:41 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-12-30 12:34:40 2069632 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2012-12-30 12:34:40 2027520 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-12-30 12:34:22 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-12-30 12:32:04 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-12-30 11:56:34 -------- d-----w- c:\documents and settings\valarie\application data\FixZeroAccess
2012-12-30 11:54:32 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-12-30 11:50:47 290560 -c----w- c:\windows\system32\dllcache\atmfd.dll
2012-12-30 11:49:29 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-12-30 11:49:29 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-12-30 11:49:28 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-12-30 11:49:28 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-12-30 11:49:27 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-12-30 11:49:27 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-12-30 11:49:27 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-12-30 11:49:23 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-12-30 10:52:16 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-30 10:52:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-30 10:35:54 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-30 10:00:24 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2012-12-30 10:00:24 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2012-12-30 10:00:09 81920 ------w- c:\windows\system32\ieencode.dll
2012-12-30 09:50:27 19569 ----a-w- c:\windows\003090_.tmp
2012-12-30 05:10:59 23040 -c--a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2012-12-30 05:09:52 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2012-12-30 05:08:52 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2012-12-30 05:08:49 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2012-12-30 05:00:46 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-12-30 04:54:26 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-12-30 04:54:26 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-12-30 04:54:26 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-12-30 04:54:26 13312 ----a-w- c:\windows\system32\irclass.dll
2012-12-30 04:54:11 14573 ----a-r- c:\windows\SET81.tmp
2012-12-30 04:54:02 13753 ----a-r- c:\windows\SET4E.tmp
2012-12-30 04:53:59 1086058 ----a-r- c:\windows\SET42.tmp
2012-12-30 04:53:57 1042903 ----a-r- c:\windows\SET3F.tmp
2012-12-29 07:49:57 927904 ----a-r- c:\windows\system32\drivers\nis\1402000.013\SymEFA.sys
2012-12-29 07:49:57 586400 ----a-r- c:\windows\system32\drivers\nis\1402000.013\srtsp.sys
2012-12-29 07:49:57 394656 ----a-r- c:\windows\system32\drivers\nis\1402000.013\symtdi.sys
2012-12-29 07:49:57 368288 ----a-r- c:\windows\system32\drivers\nis\1402000.013\SymDS.sys
2012-12-29 07:49:57 350368 ----a-r- c:\windows\system32\drivers\nis\1402000.013\symtdiv.sys
2012-12-29 07:49:57 338592 ----a-r- c:\windows\system32\drivers\nis\1402000.013\symnets.sys
2012-12-29 07:49:57 32888 ----a-r- c:\windows\system32\drivers\nis\1402000.013\srtspx.sys
2012-12-29 07:49:57 21400 ----a-r- c:\windows\system32\drivers\nis\1402000.013\SymELAM.sys
2012-12-29 07:49:57 175264 ----a-r- c:\windows\system32\drivers\nis\1402000.013\Ironx86.sys
2012-12-29 07:49:56 134304 ----a-r- c:\windows\system32\drivers\nis\1402000.013\ccSetx86.sys
2012-12-29 07:49:36 9103 ----a-r- c:\windows\system32\drivers\nis\1402000.013\SymVTcer.dat
2012-12-29 07:49:35 -------- d-----w- c:\windows\system32\drivers\nis\1402000.013
2012-12-29 07:35:14 -------- d-----w- c:\documents and settings\valarie\application data\Tific
2012-12-29 07:35:12 -------- d-----w- c:\documents and settings\valarie\local settings\application data\Symantec
2012-12-29 05:31:01 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-12-29 05:31:01 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2012-12-29 05:16:44 14573 ----a-r- c:\windows\SET169.tmp
2012-12-29 05:16:39 13753 ----a-r- c:\windows\SET136.tmp
2012-12-29 05:16:36 1086058 ----a-r- c:\windows\SET12A.tmp
2012-12-29 05:16:33 1042903 ----a-r- c:\windows\SET127.tmp
2012-12-29 03:50:59 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-12-29 03:50:59 -------- d-----w- c:\windows\system32\wbem\Repository
2012-12-29 03:35:38 -------- d-----w- c:\documents and settings\valarie\application data\ShopAtHome
.
==================== Find3M ====================
.
2013-01-01 01:11:06 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-01 01:03:44 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-29 07:51:09 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
2012-10-11 01:51:09 3402 --sha-w- c:\windows\system32\KGyGaAvL.sys
2012-10-11 01:51:06 88 --sha-r- c:\windows\system32\EABA3ED6A5.sys
.
============= FINISH: 19:37:18.15 ===============

Attached Files


Edited by c23dr, 01 January 2013 - 03:56 AM.


BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 01 January 2013 - 06:47 PM

Welcome to BC c23dr,

Let's get a different look at things there.


To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop. Click the RogueKiller icon next to:

(Download link) : Lien de téléchargement:).

Close all open programs
Remember to right click -> run as administrator, and click the downloaded file.
When prompted, type 1, and press Enter.
A RKreport.txt will be created in the same location as the RogueKiller file.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe, and try again.

Please post the contents of the RKreport.txt.
Ad eundum quo no duck ante iit

#3 c23dr

c23dr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 01 January 2013 - 10:21 PM

Thanks Jintan. I got more info from my brother about what was done before I came into the picture, not sure if it helps now, but I'll pass it on.

PC would only run in safe mode. He suspected OS problems so did a Windows Repair using the XP disc. Didn't help. Then he started running virus scans. He used Malwarebytes, TDSS Kill, Combofix, Norton's FixZeroAccess. The viruses I listed in my first post were found and removed. After that, the PC could be used in normal mode again. That's when I got the PC and posted here.

Here are the logs you requested.
**During the Gmer scan, I got a warning of High CPU Usage by pyry6zbi.exe. I assume it's part of Gmer, but since all my virus protection was turned off at the time, I thought I would mention it.







OTL logfile created on: 1/1/2013 7:02:27 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Valarie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.48 Gb Available Physical Memory | 82.76% Memory free
4.84 Gb Paging File | 4.37 Gb Available in Paging File | 90.23% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.20 Gb Total Space | 102.01 Gb Free Space | 70.26% Space Free | Partition Type: NTFS

Computer Name: D1VJGPB1 | User Name: Valarie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/01 18:58:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Valarie\Desktop\OTL.exe
PRC - [2012/12/31 19:03:45 | 000,170,408 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/10/10 20:29:13 | 000,143,928 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/10 10:17:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/09/08 04:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE


========== Modules (No Company Name) ==========

MOD - [2012/05/30 08:51:08 | 000,699,280 | R--- | M] () -- C:\Program Files\Norton Internet Security\Engine\20.2.0.19\wincfi39.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/12/31 19:03:45 | 000,170,408 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/10/10 20:29:13 | 000,143,928 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe -- (NIS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wanatw4.sys -- (wanatw)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\goapkqmb.sys -- (tqsr)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys -- (EraserUtilDrv11220)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\VALARI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (bvrp_pci)
DRV - [2012/12/29 01:51:09 | 000,142,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2012/12/28 16:39:26 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20121230.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2012/12/28 01:00:00 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\VirusDefs\20121231.020\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/12/28 01:00:00 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\VirusDefs\20121231.020\NAVENG.SYS -- (NAVENG)
DRV - [2012/11/29 17:13:06 | 000,995,488 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20121130.005\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/10/08 19:00:02 | 000,586,400 | R--- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NIS\1402000.013\srtsp.sys -- (SRTSP)
DRV - [2012/10/03 19:40:35 | 000,927,904 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1402000.013\SymEFA.sys -- (SymEFA)
DRV - [2012/10/03 19:40:20 | 000,368,288 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1402000.013\SymDS.sys -- (SymDS)
DRV - [2012/10/03 19:19:14 | 000,134,304 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1402000.013\ccSetx86.sys -- (ccSet_NIS)
DRV - [2012/09/06 20:05:14 | 000,394,656 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1402000.013\symtdi.sys -- (SYMTDI)
DRV - [2012/09/06 19:48:08 | 000,175,264 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1402000.013\Ironx86.sys -- (SymIRON)
DRV - [2012/09/06 19:40:51 | 000,032,888 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1402000.013\srtspx.sys -- (SRTSPX)
DRV - [2012/08/08 21:09:24 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/08 21:09:24 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2007/06/18 19:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/08/29 15:08:43 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/02/10 10:19:12 | 001,107,224 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/09/08 04:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 04:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 04:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 04:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 04:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 04:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 04:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 11:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 11:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/03 20:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/11/17 13:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 13:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 13:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2400598717-4008163567-1341937095-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2400598717-4008163567-1341937095-1007\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2400598717-4008163567-1341937095-1007\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2400598717-4008163567-1341937095-1007\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-21-2400598717-4008163567-1341937095-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.10.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\coFFPlgn\ [2013/01/01 18:53:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\IPSFFPlgn\ [2012/12/29 01:56:49 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - Extension: Google Drive = C:\Documents and Settings\Valarie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\
CHR - Extension: YouTube = C:\Documents and Settings\Valarie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Valarie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Norton Identity Protection = C:\Documents and Settings\Valarie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2013.2.0.18_0\
CHR - Extension: Gmail = C:\Documents and Settings\Valarie\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/12/31 01:33:16 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\20.2.0.19\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\20.2.0.19\IPS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\20.2.0.19\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2400598717-4008163567-1341937095-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2400598717-4008163567-1341937095-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2400598717-4008163567-1341937095-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2400598717-4008163567-1341937095-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1356857863890 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{48FDD51E-B770-49F0-BAD3-6CB90F538E0B}: DhcpNameServer = 192.168.254.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Valarie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Valarie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/01 18:58:47 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Valarie\Desktop\OTL.exe
[2013/01/01 03:23:55 | 037,868,688 | ---- | C] (Adobe Systems Incorporated) -- C:\Documents and Settings\Valarie\Desktop\AdbeRdr11000_en_US.exe
[2013/01/01 02:30:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Local Settings\Application Data\Sun
[2012/12/31 19:54:10 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/12/31 19:34:12 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\Valarie\Desktop\dds.com
[2012/12/31 19:11:06 | 000,697,272 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/12/31 19:04:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/12/31 19:04:07 | 000,859,072 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/12/31 19:04:07 | 000,260,528 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/12/31 19:04:07 | 000,143,872 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/12/31 19:04:00 | 000,174,000 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/12/31 19:04:00 | 000,173,992 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/12/31 19:04:00 | 000,093,640 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/12/31 19:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/12/31 01:54:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2012/12/31 01:35:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/12/30 21:44:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2012/12/30 06:48:48 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2012/12/30 06:48:43 | 000,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys
[2012/12/30 06:48:27 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2012/12/30 06:47:49 | 000,456,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2012/12/30 06:47:31 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2012/12/30 06:45:35 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2012/12/30 06:45:03 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2012/12/30 06:42:41 | 000,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\t2embed.dll
[2012/12/30 06:42:41 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fontsub.dll
[2012/12/30 06:40:28 | 000,105,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mup.sys
[2012/12/30 06:40:19 | 000,203,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rmcast.sys
[2012/12/30 06:40:09 | 000,331,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadce.dll
[2012/12/30 06:36:23 | 000,536,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado15.dll
[2012/12/30 06:35:48 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2012/12/30 06:35:46 | 000,139,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2012/12/30 06:34:41 | 002,192,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2012/12/30 06:34:41 | 002,148,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2012/12/30 06:34:40 | 002,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2012/12/30 06:34:40 | 002,027,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2012/12/30 06:34:22 | 000,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[2012/12/30 06:32:04 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2012/12/30 05:56:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Application Data\FixZeroAccess
[2012/12/30 05:56:03 | 001,805,736 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Valarie\Desktop\FixZeroAccess.exe
[2012/12/30 05:54:32 | 000,590,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcrt4.dll
[2012/12/30 05:50:47 | 000,290,560 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\dllcache\atmfd.dll
[2012/12/30 05:49:29 | 000,630,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2012/12/30 05:49:29 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2012/12/30 05:49:27 | 002,000,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2012/12/30 05:49:27 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2012/12/30 05:49:27 | 000,521,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsdbgui.dll
[2012/12/30 05:49:23 | 011,111,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2012/12/30 04:52:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/12/30 04:52:16 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/12/30 04:52:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/12/30 04:35:54 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/12/30 04:33:35 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Valarie\Desktop\TDSSKiller.exe
[2012/12/30 04:10:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/12/30 04:00:24 | 001,372,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6.dll
[2012/12/30 04:00:24 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6r.dll
[2012/12/30 04:00:09 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ieencode.dll
[2012/12/30 03:45:59 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2012/12/29 23:11:37 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winzm.ime
[2012/12/29 23:11:36 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winsp.ime
[2012/12/29 23:11:36 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winpy.ime
[2012/12/29 23:11:35 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wingb.ime
[2012/12/29 23:11:35 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winime.ime
[2012/12/29 23:11:34 | 000,079,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winar30.ime
[2012/12/29 23:11:33 | 000,041,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\weitekp9.dll
[2012/12/29 23:11:33 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\weitekp9.sys
[2012/12/29 23:11:31 | 000,426,041 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\voicepad.dll
[2012/12/29 23:11:31 | 000,086,073 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\voicesub.dll
[2012/12/29 23:11:31 | 000,048,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\w32.dll
[2012/12/29 23:11:26 | 000,076,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\uniime.dll
[2012/12/29 23:11:26 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\unicdime.ime
[2012/12/29 23:11:25 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsprof.exe
[2012/12/29 23:11:23 | 000,571,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tintlgnt.ime
[2012/12/29 23:11:23 | 000,455,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tintsetp.exe
[2012/12/29 23:11:23 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tintlphr.exe
[2012/12/29 23:11:23 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tmigrate.dll
[2012/12/29 23:11:22 | 000,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\thawbrkr.dll
[2012/12/29 23:11:22 | 000,019,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdspx.sys
[2012/12/29 23:11:21 | 000,021,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdipx.sys
[2012/12/29 23:11:21 | 000,013,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tdasync.sys
[2012/12/29 23:11:17 | 000,101,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srusbusd.dll
[2012/12/29 23:11:15 | 000,143,422 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\softkey.dll
[2012/12/29 23:11:13 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpstup.dll
[2012/12/29 23:11:13 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_snprfdll.dll
[2012/12/29 23:11:11 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsm.dll
[2012/12/29 23:11:11 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_smtpctrs.dll
[2012/12/29 23:11:11 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smimsgif.dll
[2012/12/29 23:11:11 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smierrsy.dll
[2012/12/29 23:11:10 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm9aw.dll
[2012/12/29 23:11:10 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\smb6w.dll
[2012/12/29 23:11:10 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sma3w.dll
[2012/12/29 23:11:10 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm93w.dll
[2012/12/29 23:11:10 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm92w.dll
[2012/12/29 23:11:10 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm90w.dll
[2012/12/29 23:11:10 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8dw.dll
[2012/12/29 23:11:09 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm87w.dll
[2012/12/29 23:11:09 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm81w.dll
[2012/12/29 23:11:09 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8cw.dll
[2012/12/29 23:11:09 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm8aw.dll
[2012/12/29 23:11:09 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm89w.dll
[2012/12/29 23:11:09 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sm59w.dll
[2012/12/29 23:11:08 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\simptcp.dll
[2012/12/29 23:11:04 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_scripto.dll
[2012/12/29 23:11:04 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_seos.dll
[2012/12/29 23:11:02 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2012/12/29 23:11:02 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2012/12/29 23:11:00 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\romanime.ime
[2012/12/29 23:10:59 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_regtrace.exe
[2012/12/29 23:10:59 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\register.exe
[2012/12/29 23:10:56 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\quser.exe
[2012/12/29 23:10:55 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\quick.ime
[2012/12/29 23:10:55 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\query.exe
[2012/12/29 23:10:52 | 000,131,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxviceo.dll
[2012/12/29 23:10:52 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxmcro.dll
[2012/12/29 23:10:52 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmxgl.dll
[2012/12/29 23:10:51 | 000,482,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlgnt.ime
[2012/12/29 23:10:51 | 000,070,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlphr.exe
[2012/12/29 23:10:51 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pmigrate.dll
[2012/12/29 23:10:50 | 000,079,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\phon.ime
[2012/12/29 23:10:50 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pintlcsd.dll
[2012/12/29 23:10:48 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs804.dll
[2012/12/29 23:10:45 | 000,036,927 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs411.dll
[2012/12/29 23:10:45 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs404.dll
[2012/12/29 23:10:45 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\padrs412.dll
[2012/12/29 23:10:40 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_ntfsdrv.dll
[2012/12/29 23:10:35 | 000,229,439 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\multibox.dll
[2012/12/29 23:10:30 | 001,875,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msir3jp.lex
[2012/12/29 23:10:30 | 000,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msir3jp.dll
[2012/12/29 23:10:22 | 000,092,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mga.sys
[2012/12/29 23:10:22 | 000,092,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mga.dll
[2012/12/29 23:10:20 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_mailmsg.dll
[2012/12/29 23:10:16 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\korwbrkr.dll
[2012/12/29 23:10:15 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdvntc.dll
[2012/12/29 23:10:15 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdusa.dll
[2012/12/29 23:10:15 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdurdu.dll
[2012/12/29 23:10:14 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth3.dll
[2012/12/29 23:10:14 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth2.dll
[2012/12/29 23:10:14 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth1.dll
[2012/12/29 23:10:14 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdth0.dll
[2012/12/29 23:10:14 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdsyr2.dll
[2012/12/29 23:10:14 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdsyr1.dll
[2012/12/29 23:10:13 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnecat.dll
[2012/12/29 23:10:13 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnecnt.dll
[2012/12/29 23:10:13 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdnec95.dll
[2012/12/29 23:10:12 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdintel.dll
[2012/12/29 23:10:12 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdintam.dll
[2012/12/29 23:10:11 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinpun.dll
[2012/12/29 23:10:11 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinmar.dll
[2012/12/29 23:10:11 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinkan.dll
[2012/12/29 23:10:11 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinhin.dll
[2012/12/29 23:10:11 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdinguj.dll
[2012/12/29 23:10:11 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdindev.dll
[2012/12/29 23:10:10 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdheb.dll
[2012/12/29 23:10:10 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdfa.dll
[2012/12/29 23:10:10 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdgeo.dll
[2012/12/29 23:10:09 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbddiv2.dll
[2012/12/29 23:10:09 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbddiv1.dll
[2012/12/29 23:10:09 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdarmw.dll
[2012/12/29 23:10:08 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jupiw.dll
[2012/12/29 23:10:08 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101a.dll
[2012/12/29 23:10:08 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda3.dll
[2012/12/29 23:10:08 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda2.dll
[2012/12/29 23:10:08 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbda1.dll
[2012/12/29 23:10:08 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdarme.dll
[2012/12/29 23:10:04 | 000,471,102 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imskdic.dll
[2012/12/29 23:10:04 | 000,315,455 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imskf.dll
[2012/12/29 23:10:03 | 000,274,489 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjputyc.dll
[2012/12/29 23:10:03 | 000,262,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjputy.exe
[2012/12/29 23:10:03 | 000,102,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imlang.dll
[2012/12/29 23:10:03 | 000,059,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imkrinst.exe
[2012/12/29 23:10:03 | 000,045,109 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpuex.exe
[2012/12/29 23:10:02 | 000,307,257 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdct.exe
[2012/12/29 23:10:02 | 000,233,527 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjprw.exe
[2012/12/29 23:10:02 | 000,208,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpmig.exe
[2012/12/29 23:10:02 | 000,155,705 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdsvr.exe
[2012/12/29 23:10:01 | 000,716,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpcus.dll
[2012/12/29 23:10:01 | 000,368,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpcic.dll
[2012/12/29 23:10:01 | 000,081,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdct.dll
[2012/12/29 23:10:01 | 000,057,398 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjpdadm.exe
[2012/12/29 23:10:00 | 000,811,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjp81k.dll
[2012/12/29 23:10:00 | 000,340,023 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imjp81.ime
[2012/12/29 23:10:00 | 000,311,359 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imepadsv.exe
[2012/12/29 23:10:00 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrcic.dll
[2012/12/29 23:10:00 | 000,102,463 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imepadsm.dll
[2012/12/29 23:10:00 | 000,094,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekr61.ime
[2012/12/29 23:10:00 | 000,086,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrmbx.dll
[2012/12/29 23:10:00 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\imekrmig.exe
[2012/12/29 23:09:52 | 010,129,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hwxkor.dll
[2012/12/29 23:09:39 | 010,096,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hwxcht.dll
[2012/12/29 23:09:36 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hanjadic.dll
[2012/12/29 23:09:33 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftlx041e.dll
[2012/12/29 23:09:32 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\flattemp.exe
[2012/12/29 23:09:31 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_fcachdll.dll
[2012/12/29 23:09:29 | 000,057,856 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esuimgd.dll
[2012/12/29 23:09:29 | 000,045,056 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esunid.dll
[2012/12/29 23:09:29 | 000,031,744 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\dllcache\esucmd.dll
[2012/12/29 23:09:29 | 000,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\et4000.sys
[2012/12/29 23:09:19 | 000,078,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dayi.ime
[2012/12/29 23:09:17 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cprofile.exe
[2012/12/29 23:09:16 | 000,057,399 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cplexe.exe
[2012/12/29 23:09:13 | 000,480,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cintsetp.exe
[2012/12/29 23:09:13 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cintlgnt.ime
[2012/12/29 23:09:12 | 000,198,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cintime.dll
[2012/12/29 23:09:12 | 000,097,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtmbx.dll
[2012/12/29 23:09:12 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtskdic.dll
[2012/12/29 23:09:11 | 001,677,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chsbrkr.dll
[2012/12/29 23:09:11 | 000,838,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chtbrkr.dll
[2012/12/29 23:09:10 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chajei.ime
[2012/12/29 23:09:10 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chgport.exe
[2012/12/29 23:09:10 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chgusr.exe
[2012/12/29 23:09:10 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\chglogon.exe
[2012/12/29 23:09:10 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\change.exe
[2012/12/29 23:09:08 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2012/12/29 23:09:08 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_iscii.dll
[2012/12/29 23:09:08 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\c_is2022.dll
[2012/12/29 23:08:52 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_aqadmin.dll
[2012/12/29 23:08:49 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\EXCH_adsiisex.dll
[2012/12/29 22:54:26 | 000,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\spxcoins.dll
[2012/12/29 22:54:26 | 000,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\dllcache\spxcoins.dll
[2012/12/29 22:54:26 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irclass.dll
[2012/12/29 22:54:26 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\irclass.dll
[2012/12/29 01:53:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Internet Security
[2012/12/29 01:35:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Application Data\Tific
[2012/12/29 01:35:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Local Settings\Application Data\Symantec
[2012/12/28 23:31:01 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isignup.exe
[2012/12/28 21:47:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Desktop\Wedding Slideshow
[2012/12/28 21:47:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Desktop\Tesla 6-11-11
[2012/12/28 21:47:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Desktop\Music
[2012/12/28 21:47:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Desktop\Dances
[2012/12/28 21:47:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Desktop\Ceremony
[2012/12/28 21:47:02 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/12/28 21:35:55 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Valarie\Recent
[2012/12/28 21:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Application Data\ShopAtHome
[2012/12/25 18:35:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/12/17 19:14:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Valarie\Desktop\Prints
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/01 19:01:11 | 000,761,856 | ---- | M] () -- C:\Documents and Settings\Valarie\Desktop\RogueKiller.exe
[2013/01/01 18:59:17 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe
[2013/01/01 18:58:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Valarie\Desktop\OTL.exe
[2013/01/01 18:53:17 | 000,000,908 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/01/01 18:53:01 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/01/01 18:52:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/01/01 18:52:12 | 3219,279,872 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/01 03:32:07 | 000,000,282 | -HS- | M] () -- C:\boot.ini
[2013/01/01 03:28:54 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader XI.lnk
[2013/01/01 03:23:56 | 037,868,688 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Valarie\Desktop\AdbeRdr11000_en_US.exe
[2013/01/01 02:46:00 | 000,000,912 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/12/31 19:34:16 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\Valarie\Desktop\dds.com
[2012/12/31 19:11:06 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/12/31 19:11:06 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/12/31 19:03:46 | 000,093,640 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/12/31 19:03:45 | 000,260,528 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/12/31 19:03:45 | 000,174,000 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/12/31 19:03:45 | 000,173,992 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/12/31 19:03:45 | 000,143,872 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/12/31 19:03:44 | 000,859,072 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/12/31 19:03:44 | 000,779,704 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/12/31 01:33:16 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/12/30 21:53:44 | 000,400,956 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/12/30 21:53:44 | 000,062,028 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/12/30 21:51:12 | 001,046,278 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1402000.013\Cat.DB
[2012/12/30 21:50:06 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/12/30 21:44:55 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\Valarie\Desktop\Google Chrome.lnk
[2012/12/30 21:44:55 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\Valarie\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/12/30 06:19:14 | 000,691,280 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/12/30 05:45:29 | 000,013,946 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1402000.013\VT20121114.016
[2012/12/30 05:27:26 | 001,805,736 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Valarie\Desktop\FixZeroAccess.exe
[2012/12/30 04:52:21 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/30 04:39:38 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Valarie\Desktop\Microsoft Office Word 2003.lnk
[2012/12/30 04:13:02 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2012/12/30 01:41:27 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Valarie\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/12/30 01:36:54 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2012/12/29 23:12:37 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2012/12/29 23:07:40 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/12/29 23:07:40 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/12/29 23:07:24 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2012/12/29 23:05:21 | 000,023,428 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/12/29 23:04:06 | 000,000,989 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2012/12/29 22:56:19 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2012/12/29 22:38:51 | 000,389,466 | ---- | M] () -- C:\WINDOWS\setupapi.old
[2012/12/29 01:53:09 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2012/12/29 01:51:09 | 000,142,496 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2012/12/29 01:51:09 | 000,007,446 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2012/12/29 01:51:09 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2012/12/29 01:39:41 | 000,001,940 | ---- | M] () -- C:\Documents and Settings\Valarie\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2012/12/26 21:43:51 | 000,000,186 | ---- | M] () -- C:\Documents and Settings\Valarie\Desktop\Ravelry.url
[2012/12/26 21:23:17 | 000,000,325 | ---- | M] () -- C:\Documents and Settings\Valarie\Desktop\eBay .url
[2012/12/16 06:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\dllcache\atmfd.dll
[2012/12/16 06:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\atmfd.dll
[2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/01 19:01:06 | 000,761,856 | ---- | C] () -- C:\Documents and Settings\Valarie\Desktop\RogueKiller.exe
[2013/01/01 18:59:15 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe
[2013/01/01 03:28:53 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
[2013/01/01 03:28:53 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader XI.lnk
[2012/12/31 01:37:37 | 3219,279,872 | -HS- | C] () -- C:\hiberfil.sys
[2012/12/30 21:44:55 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\Valarie\Desktop\Google Chrome.lnk
[2012/12/30 21:44:55 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\Valarie\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/12/30 21:41:14 | 000,000,912 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/12/30 21:41:14 | 000,000,908 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/12/30 04:52:20 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/30 01:36:54 | 000,002,422 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2012/12/29 23:10:50 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\dllcache\pintlcsa.dll
[2012/12/29 23:10:16 | 001,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2012/12/29 23:10:03 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2012/12/29 23:10:02 | 000,196,665 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imjpinst.exe
[2012/12/29 23:09:59 | 000,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2012/12/29 23:09:45 | 013,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2012/12/29 23:09:36 | 000,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2012/12/29 23:09:12 | 000,173,568 | ---- | C] () -- C:\WINDOWS\System32\dllcache\chtskf.dll
[2012/12/29 22:54:11 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2012/12/29 22:54:11 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2012/12/29 22:54:10 | 001,042,903 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2012/12/29 22:54:10 | 000,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2012/12/29 22:54:10 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2012/12/29 22:54:10 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2012/12/29 22:54:10 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2012/12/28 23:31:15 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/12/28 23:28:59 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/12/28 23:17:19 | 000,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/12/28 23:16:43 | 000,007,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmerrenu.cat
[2012/12/28 23:15:57 | 000,389,466 | ---- | C] () -- C:\WINDOWS\setupapi.old
[2012/02/15 07:15:08 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/08/22 18:03:15 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2011/03/22 15:46:34 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Valarie\Application Data\wklnhst.dat
[2011/01/04 15:34:36 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Valarie\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/04/21 15:29:15 | 000,000,108 | ---- | C] () -- C:\Documents and Settings\Valarie\webct_upload_applet.properties
[2009/12/12 14:41:42 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Valarie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/12 12:27:58 | 000,000,142 | ---- | C] () -- C:\Documents and Settings\Valarie\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2004/08/10 12:09:48 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 05:42:06 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 05:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >














OTL Extras logfile created on: 1/1/2013 7:02:27 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Valarie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.48 Gb Available Physical Memory | 82.76% Memory free
4.84 Gb Paging File | 4.37 Gb Available in Paging File | 90.23% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.20 Gb Total Space | 102.01 Gb Free Space | 70.26% Space Free | Partition Type: NTFS

Computer Name: D1VJGPB1 | User Name: Valarie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-2400598717-4008163567-1341937095-1007\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{162D2FB8-60A3-4871-B6A1-5C744CD34FF5}" = 725plc32
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{26A24AE4-039D-4CA4-87B4-2F83217010FF}" = Java 7 Update 10
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{952682F8-F40D-11D7-AD8E-0050DA87D0EB}" = Print Workshop 2004 LE
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{BA68600E-96D9-4E92-80F2-26B9681B5A63}" = Microsoft Office Outlook 2003 with Business Contact Manager Update
"{C41F4616-44B6-4E8D-BFC7-4267862A2CE1}" = CinepPlayer 30 Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{E42BD75A-FC23-4E3F-9F91-2658334C644F}" = Internet Service Offers Launcher
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA" = SCRABBLE
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"ESET Online Scanner" = ESET Online Scanner v3
"Google Chrome" = Google Chrome
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"NIS" = Norton Internet Security
"PROSet" = Intel® PRO Network Connections Drivers
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"Scrabble" = Scrabble
"StreetPlugin" = Learn2 Player (Uninstall Only)
"The Print Shop Premier Edition 5.0" = The Print Shop Premier Edition 5.0
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 11/22/2012 12:49:35 PM | Computer Name = D1VJGPB1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19328, fault address 0x000b9ed8.

Error - 11/26/2012 4:37:58 PM | Computer Name = D1VJGPB1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19328, fault address 0x000de25d.

Error - 11/26/2012 4:41:53 PM | Computer Name = D1VJGPB1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19328, fault address 0x000de25d.

Error - 12/4/2012 3:04:33 PM | Computer Name = D1VJGPB1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19328, fault address 0x0029d40a.

Error - 12/29/2012 1:59:19 AM | Computer Name = D1VJGPB1 | Source = COM+ | ID = 135763
Description = The run-time environment was unable to initialize for transactions
required to support transactional components. Make sure that MS-DTC is running.
(DtcGetTransactionManagerEx(): hr = 0x8004d01

Error - 12/29/2012 3:51:28 AM | Computer Name = D1VJGPB1 | Source = Windows Product Activation | ID = 1009
Description = You have not activated Windows within the grace period. To activate
Windows, contact a customer service representative by telephone.

Error - 12/29/2012 3:53:15 AM | Computer Name = D1VJGPB1 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 12/29/2012 3:53:15 AM | Computer Name = D1VJGPB1 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 12/30/2012 6:25:15 AM | Computer Name = D1VJGPB1 | Source = Microsoft Office 11 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Office Word.

Error - 12/30/2012 6:26:38 AM | Computer Name = D1VJGPB1 | Source = Application Error | ID = 1000
Description = Faulting application acrord32.exe, version 6.0.2.126, faulting module
msvcrt.dll, version 7.0.2600.5512, fault address 0x000370d0.

[ System Events ]
Error - 12/30/2012 6:33:03 AM | Computer Name = D1VJGPB1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/30/2012 6:36:14 AM | Computer Name = D1VJGPB1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/30/2012 11:55:47 PM | Computer Name = D1VJGPB1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/30/2012 11:56:50 PM | Computer Name = D1VJGPB1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
BHDrvx86 ccSet_NIS eeCtrl Fips intelppm SRTSP SRTSPX SymIRON SYMTDI

Error - 12/30/2012 11:58:55 PM | Computer Name = D1VJGPB1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/31/2012 3:00:16 AM | Computer Name = D1VJGPB1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/31/2012 3:01:15 AM | Computer Name = D1VJGPB1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
BHDrvx86 ccSet_NIS eeCtrl Fips intelppm SRTSP SRTSPX SymIRON SYMTDI

Error - 12/31/2012 3:01:21 AM | Computer Name = D1VJGPB1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/31/2012 3:20:09 AM | Computer Name = D1VJGPB1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/31/2012 3:36:26 AM | Computer Name = D1VJGPB1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >














GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2013-01-01 20:26:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 WDC_WD1600JS-75NCB3 rev.10.02E04
Running: pyry6zbi.exe; Driver: C:\DOCUME~1\VALARI~1\LOCALS~1\Temp\fxlyapow.sys


---- System - GMER 1.0.15 ----

SSDT 8AC6F348 ZwAlertResumeThread
SSDT 8B01BCF8 ZwAlertThread
SSDT 8AB78240 ZwAllocateVirtualMemory
SSDT 8AC964C0 ZwAssignProcessToJobObject
SSDT 8B00EF20 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB76BBED0]
SSDT 8ABDF200 ZwCreateMutant
SSDT 8AE6AB80 ZwCreateSymbolicLinkObject
SSDT 8AC7D930 ZwCreateThread
SSDT 8B0528B8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB76BC150]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB76BC810]
SSDT 8AB982A8 ZwDuplicateObject
SSDT 8AB52818 ZwFreeVirtualMemory
SSDT 8ABE01F8 ZwImpersonateAnonymousToken
SSDT 8ABE0298 ZwImpersonateThread
SSDT 8B026660 ZwLoadDriver
SSDT 8AC9CB80 ZwMapViewOfSection
SSDT 8AFDE0B0 ZwOpenEvent
SSDT 8ABC2A70 ZwOpenProcess
SSDT 8AB531F8 ZwOpenProcessToken
SSDT 8ABD7230 ZwOpenSection
SSDT 8B0578E0 ZwOpenThread
SSDT 8B0355B0 ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwRenameKey [0xB76BCD80]
SSDT 8B01BDB8 ZwResumeThread
SSDT 8AC9EE18 ZwSetContextThread
SSDT 8B04D5F8 ZwSetInformationProcess
SSDT 8B052978 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB76BCAA0]
SSDT 8ABD72D0 ZwSuspendProcess
SSDT 8AC950D0 ZwSuspendThread
SSDT 8AB54A98 ZwTerminateProcess
SSDT 8AC9ED58 ZwTerminateThread
SSDT 8B042908 ZwUnmapViewOfSection
SSDT 8AB528E8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 3030 80504928 4 Bytes CALL DCDAFE55

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Program Files\Java\jre7\bin\jqs.exe[172] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00380048
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 002E004C
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0038020E
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0038012A
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00380682
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0038059E
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003803D6
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003802F2
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [54, 88, EB, F9] {PUSH ESP; MOV BL, CH; STC }
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003804BA
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00380766
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe[284] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0038084A
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0039020E
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0039012A
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00390682
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0039059E
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003903D6
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003902F2
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC }
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003904BA
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00390766
.text C:\Documents and Settings\Valarie\Desktop\pyry6zbi.exe[1000] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0039084A
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 003E020E
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 003E012A
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 003E0682
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 003E059E
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003E03D6
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003E02F2
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [5A, 88, EB, F9] {POP EDX; MOV BL, CH; STC }
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003E04BA
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 003E0766
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[2104] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 003E084A
.text C:\WINDOWS\stsystra.exe[2216] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00380048
.text C:\WINDOWS\stsystra.exe[2216] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0036004C
.text C:\WINDOWS\stsystra.exe[2216] USER32.dll!DeviceEventWorker + 178 7E45A270 7 Bytes JMP 0038084A
.text C:\WINDOWS\stsystra.exe[2216] ADVAPI32.dll!OpenSCManagerW + A3 77DE6FF8 7 Bytes JMP 0038020E
.text C:\WINDOWS\stsystra.exe[2216] ADVAPI32.dll!LogonUserExW + 461 77DF4A04 7 Bytes JMP 0038012A
.text C:\WINDOWS\stsystra.exe[2216] ADVAPI32.dll!SystemFunction025 + 8D 77DF4C61 7 Bytes JMP 00380682
.text C:\WINDOWS\stsystra.exe[2216] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E36E64 7 Bytes JMP 0038059E
.text C:\WINDOWS\stsystra.exe[2216] ADVAPI32.dll!ChangeServiceConfigA + 193 77E36FFC 7 Bytes JMP 003803D6
.text C:\WINDOWS\stsystra.exe[2216] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E3720C 2 Bytes JMP 003802F2
.text C:\WINDOWS\stsystra.exe[2216] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E3720F 4 Bytes [54, 88, EB, F9] {PUSH ESP; MOV BL, CH; STC }
.text C:\WINDOWS\stsystra.exe[2216] ADVAPI32.dll!CreateServiceA + 193 77E373A4 7 Bytes JMP 003804BA
.text C:\WINDOWS\stsystra.exe[2216] ADVAPI32.dll!CreateServiceW + 103 77E374AC 7 Bytes JMP 00380766

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B39FDD20
Device B3A019F2

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----














RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Valarie [Admin rights]
Mode : Scan -- Date : 01/01/2013 20:32:01

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8AC6F348)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8B01BCF8)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8AB78240)
SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8AC964C0)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8B00EF20)
SSDT[43] : NtCreateMutant @ 0x806176AE -> HOOKED (Unknown @ 0x8ABDF200)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8AE6AB80)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8AC7D930)
SSDT[57] : NtDebugActiveProcess @ 0x80643B3E -> HOOKED (Unknown @ 0x8B0528B8)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8AB982A8)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8AB52818)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x8ABE01F8)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8ABE0298)
SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8B026660)
SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8AC9CB80)
SSDT[114] : NtOpenEvent @ 0x8060F06C -> HOOKED (Unknown @ 0x8AFDE0B0)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8ABC2A70)
SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x8AB531F8)
SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8ABD7230)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x8B0578E0)
SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8B0355B0)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8B01BDB8)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8AC9EE18)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8B04D5F8)
SSDT[240] : NtSetSystemInformation @ 0x8060FD24 -> HOOKED (Unknown @ 0x8B052978)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8ABD72D0)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8AC950D0)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8AB54A98)
SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8AC9ED58)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8B042908)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8AB528E8)
S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A4250A8)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A421058)
S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A427080)
S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8AB94260)
S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A4220D0)
S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8AB70DA0)
S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8B054868)
S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8AB73F60)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A43E1B8)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A4230C0)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600JS-75NCB3 +++++
--- User ---
[MBR] ad995c7bbee62ab59ab09b611bcb3cd9
[BSP] 74c3e5f98933aa316c7c225b4c7cf3a6 : Dell MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 148679 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 304592400 | Size: 3859 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_01012013_02d2032.txt >>
RKreport[1]_S_01012013_02d2032.txt

#4 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 02 January 2013 - 06:21 PM

Definitely a rootkit still active there.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.



Run RogueKiller again.

•Please quit all programs
•Run RogueKiller
•Wait until the Prescan finishes
•Press: Scan


•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked.
•Then, press the [Delete] button.

Please post the RKreport (Mode: Delete) created on the Desktop.

---------

Delete any existing copies of ComboFix, and download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Ad eundum quo no duck ante iit

#5 c23dr

c23dr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 02 January 2013 - 08:04 PM

I figured there was still something there, this computer was so badly infected. Thanks so much for helping me with this.




RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Valarie [Admin rights]
Mode : Remove -- Date : 01/02/2013 18:34:25

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8AB64760)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8AB64840)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8ABC21B8)
SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8AB978B0)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8ACBB280)
SSDT[43] : NtCreateMutant @ 0x806176AE -> HOOKED (Unknown @ 0x8AB97E58)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8AB976D0)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8AB9A178)
SSDT[57] : NtDebugActiveProcess @ 0x80643B3E -> HOOKED (Unknown @ 0x8AB97990)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8AB8D1A8)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8AB40D68)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x8AB97F48)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8AB64680)
SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8B0244B8)
SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8AB63710)
SSDT[114] : NtOpenEvent @ 0x8060F06C -> HOOKED (Unknown @ 0x8AB97D78)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8ABAE168)
SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x8AB921C0)
SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8AB97BB8)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x8ABA11A8)
SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8AB977C0)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8AB64920)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8AB64BC0)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8AB64CA0)
SSDT[240] : NtSetSystemInformation @ 0x8060FD24 -> HOOKED (Unknown @ 0x8AB97A70)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8AB97C98)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8AB64A00)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8ABC71D8)
SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8AB64AE0)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8AB64D90)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8AB41250)
S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8AB6D730)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8AB47890)
S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A43E550)
S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A506760)
S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8ABA38A8)
S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8AA69738)
S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8AB5F5C8)
S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8AB5F4F8)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8AB41400)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8AB67938)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600JS-75NCB3 +++++
--- User ---
[MBR] ad995c7bbee62ab59ab09b611bcb3cd9
[BSP] 74c3e5f98933aa316c7c225b4c7cf3a6 : Dell MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 148679 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 304592400 | Size: 3859 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_01022013_02d1834.txt >>
RKreport[1]_S_01012013_02d2032.txt ; RKreport[2]_S_01022013_02d1833.txt ; RKreport[3]_D_01022013_02d1834.txt














ComboFix 13-01-02.02 - Valarie 01/02/2013 18:41:23.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2524 [GMT -6:00]
Running from: c:\documents and settings\Valarie\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-03 to 2013-01-03 )))))))))))))))))))))))))))))))
.
.
2013-01-02 02:35 . 2013-01-02 02:36 -------- d-----w- C:\RK_Quarantine
2013-01-01 08:30 . 2013-01-01 08:30 -------- d-----w- c:\documents and settings\Valarie\Local Settings\Application Data\Sun
2013-01-01 01:11 . 2013-01-01 01:11 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-01 01:04 . 2013-01-01 01:04 -------- d-----w- c:\program files\Common Files\Java
2013-01-01 01:04 . 2013-01-01 01:03 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-01 01:04 . 2013-01-01 01:03 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-01-01 01:04 . 2013-01-01 01:03 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-01 01:02 . 2013-01-01 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-12-31 07:54 . 2012-12-31 07:54 -------- d-----w- c:\windows\system32\LogFiles
2012-12-30 12:48 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-12-30 12:48 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-12-30 12:48 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-12-30 12:47 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-12-30 12:47 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-12-30 12:45 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-12-30 12:45 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-12-30 12:42 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-12-30 12:42 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-12-30 12:42 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2012-12-30 12:42 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2012-12-30 12:42 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2012-12-30 12:42 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2012-12-30 12:42 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2012-12-30 12:42 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2012-12-30 12:42 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2012-12-30 12:41 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2012-12-30 12:40 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-12-30 12:40 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-12-30 12:40 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2012-12-30 12:36 . 2012-05-28 18:16 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2012-12-30 12:35 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-12-30 12:35 . 2012-07-04 14:05 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-12-30 12:34 . 2012-08-21 13:33 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-12-30 12:34 . 2012-08-21 13:29 2192896 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-12-30 12:34 . 2010-12-09 15:15 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2012-12-30 12:34 . 2012-08-21 12:58 2027520 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-12-30 12:34 . 2012-08-21 12:58 2069632 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2012-12-30 12:34 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-12-30 12:32 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-12-30 11:56 . 2012-12-30 11:56 -------- d-----w- c:\documents and settings\Valarie\Application Data\FixZeroAccess
2012-12-30 11:54 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-12-30 11:50 . 2012-12-16 12:23 290560 -c----w- c:\windows\system32\dllcache\atmfd.dll
2012-12-30 11:49 . 2012-11-01 12:17 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-12-30 11:49 . 2012-11-01 12:17 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-12-30 11:49 . 2012-11-01 12:17 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-12-30 11:49 . 2012-11-01 12:17 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-12-30 11:49 . 2012-11-01 12:17 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-12-30 11:49 . 2012-11-01 12:17 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-12-30 11:49 . 2012-11-01 12:17 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-12-30 11:49 . 2012-11-01 12:17 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-12-30 10:52 . 2012-12-30 10:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-30 10:52 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-30 10:35 . 2012-12-30 10:35 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-30 10:00 . 2012-06-05 15:50 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2012-12-30 10:00 . 2008-04-14 04:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2012-12-30 10:00 . 2008-04-14 11:41 81920 ------w- c:\windows\system32\ieencode.dll
2012-12-30 09:50 . 2006-12-29 06:31 19569 ----a-w- c:\windows\003090_.tmp
2012-12-30 05:10 . 2006-02-28 12:00 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2012-12-30 05:09 . 2006-02-28 12:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2012-12-30 05:08 . 2001-08-18 04:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2012-12-30 05:08 . 2001-08-18 04:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2012-12-30 05:00 . 2008-04-14 11:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-12-30 04:54 . 2006-02-28 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-12-30 04:54 . 2006-02-28 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-12-30 04:54 . 2006-02-28 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-12-30 04:54 . 2006-02-28 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-12-30 04:54 . 2006-02-28 12:00 14573 ----a-r- c:\windows\SET81.tmp
2012-12-30 04:54 . 2006-02-28 12:00 13753 ----a-r- c:\windows\SET4E.tmp
2012-12-30 04:53 . 2006-02-28 12:00 1086058 ----a-r- c:\windows\SET42.tmp
2012-12-30 04:53 . 2006-02-28 12:00 1042903 ----a-r- c:\windows\SET3F.tmp
2012-12-29 07:49 . 2012-12-30 10:55 -------- d-----w- c:\windows\system32\drivers\NIS\1402000.013
2012-12-29 07:35 . 2012-12-29 07:35 -------- d-----w- c:\documents and settings\Valarie\Application Data\Tific
2012-12-29 07:35 . 2012-12-29 07:35 -------- d-----w- c:\documents and settings\Valarie\Local Settings\Application Data\Symantec
2012-12-29 05:31 . 2006-02-28 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-12-29 05:31 . 2006-02-28 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2012-12-29 05:16 . 2006-02-28 12:00 14573 ----a-r- c:\windows\SET169.tmp
2012-12-29 05:16 . 2006-02-28 12:00 13753 ----a-r- c:\windows\SET136.tmp
2012-12-29 05:16 . 2006-02-28 12:00 1086058 ----a-r- c:\windows\SET12A.tmp
2012-12-29 05:16 . 2006-02-28 12:00 1042903 ----a-r- c:\windows\SET127.tmp
2012-12-29 05:15 . 2012-12-29 05:15 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2012-12-29 03:50 . 2012-12-29 03:50 -------- d-----w- c:\windows\system32\wbem\Repository
2012-12-29 03:35 . 2012-12-29 03:47 -------- d-----w- c:\documents and settings\Valarie\Application Data\ShopAtHome
2012-12-28 03:59 . 2012-12-29 03:36 -------- d-s---w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-01 01:11 . 2011-06-16 01:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-01 01:03 . 2010-05-26 22:10 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-29 07:51 . 2009-12-15 00:09 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-12-16 12:23 . 2006-02-28 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2006-02-28 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2006-02-28 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-29 98304]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-09-24 02:43 926896 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-11-01 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-29 21:08 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 15:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1402000.013\SymDS.sys [12/29/2012 1:49 AM 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1402000.013\SymEFA.sys [12/29/2012 1:49 AM 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20121130.005\BHDrvx86.sys [11/29/2012 5:13 PM 995488]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NIS\1402000.013\ccSetx86.sys [12/29/2012 1:49 AM 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1402000.013\Ironx86.sys [12/29/2012 1:49 AM 175264]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe [12/29/2012 1:49 AM 143928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/15/2012 1:08 AM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20121230.001\IDSXpx86.sys [12/30/2012 9:30 PM 373728]
S0 tqsr;tqsr;c:\windows\system32\drivers\goapkqmb.sys --> c:\windows\system32\drivers\goapkqmb.sys [?]
S3 EraserUtilDrv11220;EraserUtilDrv11220;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - TrueSight
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-31 03:41]
.
2013-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-31 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 192.168.254.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-02 18:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-01-02 18:50:08
ComboFix-quarantined-files.txt 2013-01-03 00:50
.
Pre-Run: 109,470,961,664 bytes free
Post-Run: 109,564,452,864 bytes free
.
- - End Of File - - 97ECD28A3657F1679EEA1E0C54E93342

#6 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 02 January 2013 - 09:15 PM

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

KillAll::
Driver::
tqsr
File::
c:\windows\system32\drivers\goapkqmb.sys

Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

---------

Run RogueKiller as well and post that log too please.
Ad eundum quo no duck ante iit

#7 c23dr

c23dr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 02 January 2013 - 09:56 PM

ComboFix 13-01-02.02 - Valarie 01/02/2013 20:31:41.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2451 [GMT -6:00]
Running from: c:\documents and settings\Valarie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Valarie\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
FILE ::
"c:\windows\system32\drivers\goapkqmb.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_tqsr
.
.
((((((((((((((((((((((((( Files Created from 2012-12-03 to 2013-01-03 )))))))))))))))))))))))))))))))
.
.
2013-01-02 02:35 . 2013-01-02 02:36 -------- d-----w- C:\RK_Quarantine
2013-01-01 08:30 . 2013-01-01 08:30 -------- d-----w- c:\documents and settings\Valarie\Local Settings\Application Data\Sun
2013-01-01 01:11 . 2013-01-01 01:11 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-01 01:04 . 2013-01-01 01:04 -------- d-----w- c:\program files\Common Files\Java
2013-01-01 01:04 . 2013-01-01 01:03 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-01-01 01:04 . 2013-01-01 01:03 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-01-01 01:04 . 2013-01-01 01:03 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-01 01:02 . 2013-01-01 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-12-31 07:54 . 2012-12-31 07:54 -------- d-----w- c:\windows\system32\LogFiles
2012-12-30 12:48 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-12-30 12:48 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-12-30 12:48 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-12-30 12:47 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-12-30 12:47 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-12-30 12:45 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-12-30 12:45 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-12-30 12:42 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-12-30 12:42 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-12-30 12:42 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2012-12-30 12:42 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2012-12-30 12:42 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2012-12-30 12:42 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2012-12-30 12:42 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2012-12-30 12:42 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2012-12-30 12:42 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2012-12-30 12:41 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2012-12-30 12:40 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-12-30 12:40 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-12-30 12:40 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2012-12-30 12:36 . 2012-05-28 18:16 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2012-12-30 12:35 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2012-12-30 12:35 . 2012-07-04 14:05 139784 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-12-30 12:34 . 2012-08-21 13:33 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-12-30 12:34 . 2012-08-21 13:29 2192896 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-12-30 12:34 . 2010-12-09 15:15 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2012-12-30 12:34 . 2012-08-21 12:58 2027520 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-12-30 12:34 . 2012-08-21 12:58 2069632 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2012-12-30 12:34 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-12-30 12:32 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-12-30 11:56 . 2012-12-30 11:56 -------- d-----w- c:\documents and settings\Valarie\Application Data\FixZeroAccess
2012-12-30 11:54 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-12-30 11:50 . 2012-12-16 12:23 290560 -c----w- c:\windows\system32\dllcache\atmfd.dll
2012-12-30 11:49 . 2012-11-01 12:17 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-12-30 11:49 . 2012-11-01 12:17 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-12-30 11:49 . 2012-11-01 12:17 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-12-30 11:49 . 2012-11-01 12:17 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-12-30 11:49 . 2012-11-01 12:17 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-12-30 11:49 . 2012-11-01 12:17 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-12-30 11:49 . 2012-11-01 12:17 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-12-30 11:49 . 2012-11-01 12:17 11111424 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-12-30 10:52 . 2012-12-30 10:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-30 10:52 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-30 10:35 . 2012-12-30 10:35 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-30 10:00 . 2012-06-05 15:50 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2012-12-30 10:00 . 2008-04-14 04:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2012-12-30 10:00 . 2008-04-14 11:41 81920 ------w- c:\windows\system32\ieencode.dll
2012-12-30 09:50 . 2006-12-29 06:31 19569 ----a-w- c:\windows\003090_.tmp
2012-12-30 05:10 . 2006-02-28 12:00 14848 -c--a-w- c:\windows\system32\dllcache\register.exe
2012-12-30 05:09 . 2006-02-28 12:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2012-12-30 05:08 . 2001-08-18 04:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2012-12-30 05:08 . 2001-08-18 04:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2012-12-30 05:00 . 2008-04-14 11:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-12-30 04:54 . 2006-02-28 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-12-30 04:54 . 2006-02-28 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-12-30 04:54 . 2006-02-28 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-12-30 04:54 . 2006-02-28 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-12-30 04:54 . 2006-02-28 12:00 14573 ----a-r- c:\windows\SET81.tmp
2012-12-30 04:54 . 2006-02-28 12:00 13753 ----a-r- c:\windows\SET4E.tmp
2012-12-30 04:53 . 2006-02-28 12:00 1086058 ----a-r- c:\windows\SET42.tmp
2012-12-30 04:53 . 2006-02-28 12:00 1042903 ----a-r- c:\windows\SET3F.tmp
2012-12-29 07:49 . 2012-12-30 10:55 -------- d-----w- c:\windows\system32\drivers\NIS\1402000.013
2012-12-29 07:35 . 2012-12-29 07:35 -------- d-----w- c:\documents and settings\Valarie\Application Data\Tific
2012-12-29 07:35 . 2012-12-29 07:35 -------- d-----w- c:\documents and settings\Valarie\Local Settings\Application Data\Symantec
2012-12-29 05:31 . 2006-02-28 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-12-29 05:31 . 2006-02-28 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2012-12-29 05:16 . 2006-02-28 12:00 14573 ----a-r- c:\windows\SET169.tmp
2012-12-29 05:16 . 2006-02-28 12:00 13753 ----a-r- c:\windows\SET136.tmp
2012-12-29 05:16 . 2006-02-28 12:00 1086058 ----a-r- c:\windows\SET12A.tmp
2012-12-29 05:16 . 2006-02-28 12:00 1042903 ----a-r- c:\windows\SET127.tmp
2012-12-29 05:15 . 2012-12-29 05:15 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2012-12-29 03:50 . 2012-12-29 03:50 -------- d-----w- c:\windows\system32\wbem\Repository
2012-12-29 03:35 . 2012-12-29 03:47 -------- d-----w- c:\documents and settings\Valarie\Application Data\ShopAtHome
2012-12-28 03:59 . 2012-12-29 03:36 -------- d-s---w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-01 01:11 . 2011-06-16 01:01 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-01 01:03 . 2010-05-26 22:10 779704 ----a-w- c:\windows\system32\deployJava1.dll
2012-12-29 07:51 . 2009-12-15 00:09 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-12-16 12:23 . 2006-02-28 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2006-02-28 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2006-02-28 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-29 98304]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-09-24 02:43 926896 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-11-01 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-29 21:08 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 15:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1402000.013\SymDS.sys [12/29/2012 1:49 AM 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1402000.013\SymEFA.sys [12/29/2012 1:49 AM 927904]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\BASHDefs\20121130.005\BHDrvx86.sys [11/29/2012 5:13 PM 995488]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NIS\1402000.013\ccSetx86.sys [12/29/2012 1:49 AM 134304]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1402000.013\Ironx86.sys [12/29/2012 1:49 AM 175264]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe [12/29/2012 1:49 AM 143928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/15/2012 1:08 AM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.2.0.19\Definitions\IPSDefs\20121230.001\IDSXpx86.sys [12/30/2012 9:30 PM 373728]
S3 EraserUtilDrv11220;EraserUtilDrv11220;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-31 03:41]
.
2013-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-31 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 192.168.254.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-02 20:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.2.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.2.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2484)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2013-01-02 20:44:24 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-03 02:44
ComboFix2.txt 2013-01-03 00:54
.
Pre-Run: 109,570,035,712 bytes free
Post-Run: 109,513,863,168 bytes free
.
- - End Of File - - 94C6AEA1938953EEEA34A851E03B17F9















RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Valarie [Admin rights]
Mode : Scan -- Date : 01/02/2013 20:49:13

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAlertResumeThread @ 0x805D4BDC -> HOOKED (Unknown @ 0x8A6FF3D0)
SSDT[13] : NtAlertThread @ 0x805D4B8C -> HOOKED (Unknown @ 0x8A6FF4D0)
SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AC2 -> HOOKED (Unknown @ 0x8A9EA2B0)
SSDT[19] : NtAssignProcessToJobObject @ 0x805D66A0 -> HOOKED (Unknown @ 0x8A7849D8)
SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8ACFCB50)
SSDT[43] : NtCreateMutant @ 0x806176AE -> HOOKED (Unknown @ 0x8A784F80)
SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A02 -> HOOKED (Unknown @ 0x8A7847F8)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0x8AD0B210)
SSDT[57] : NtDebugActiveProcess @ 0x80643B3E -> HOOKED (Unknown @ 0x8A784AB8)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0x8A9F37F8)
SSDT[83] : NtFreeVirtualMemory @ 0x805B2FBA -> HOOKED (Unknown @ 0x8A979418)
SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9258 -> HOOKED (Unknown @ 0x8A6FF210)
SSDT[91] : NtImpersonateThread @ 0x805D7860 -> HOOKED (Unknown @ 0x8A6FF2F0)
SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8AD306D0)
SSDT[108] : unknown @ 0x805B2042 -> HOOKED (Unknown @ 0x8A979338)
SSDT[114] : NtOpenEvent @ 0x8060F06C -> HOOKED (Unknown @ 0x8A784EA0)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0x8A9A0A38)
SSDT[123] : NtOpenProcessToken @ 0x805EDF26 -> HOOKED (Unknown @ 0x8A9F3758)
SSDT[125] : NtOpenSection @ 0x805AA3F4 -> HOOKED (Unknown @ 0x8A784CE0)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0x8A9A0948)
SSDT[137] : NtProtectVirtualMemory @ 0x805B8426 -> HOOKED (Unknown @ 0x8A7848E8)
SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8A6FF5B0)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0x8A6FFC10)
SSDT[228] : NtSetInformationProcess @ 0x805CDEA0 -> HOOKED (Unknown @ 0x8A97FC58)
SSDT[240] : NtSetSystemInformation @ 0x8060FD24 -> HOOKED (Unknown @ 0x8A784B98)
SSDT[253] : NtSuspendProcess @ 0x805D4AE0 -> HOOKED (Unknown @ 0x8A784DC0)
SSDT[254] : NtSuspendThread @ 0x805D4952 -> HOOKED (Unknown @ 0x8A6FF870)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0x8ADA2270)
SSDT[258] : unknown @ 0x805D24D2 -> HOOKED (Unknown @ 0x8A6FF950)
SSDT[267] : NtUnmapViewOfSection @ 0x805B2E50 -> HOOKED (Unknown @ 0x8A979298)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43D4 -> HOOKED (Unknown @ 0x8A983360)
S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A9FE4B8)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A969EC0)
S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A8DFEC0)
S_SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A9E9958)
S_SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A9B9098)
S_SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A9DE2C8)
S_SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8AE998C8)
S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8AD19A98)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A9D6900)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8AD96178)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600JS-75NCB3 +++++
--- User ---
[MBR] ad995c7bbee62ab59ab09b611bcb3cd9
[BSP] 74c3e5f98933aa316c7c225b4c7cf3a6 : Dell MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 148679 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 304592400 | Size: 3859 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_S_01022013_02d2049.txt >>
RKreport[1]_S_01012013_02d2032.txt ; RKreport[2]_S_01022013_02d1833.txt ; RKreport[3]_D_01022013_02d1834.txt ; RKreport[4]_S_01022013_02d2049.txt

#8 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 03 January 2013 - 06:34 PM

Before we go further let's check installed programs.


Download HijackThis from Here. Then click on the downloaded file, and install HijackThis.

In HijackThis, click Config - Misc Tools - Open Uninstall Manager.

Click on Save List, then save that to a location you can locate again (such as the desktop). Copy/paste the contents of that back here please.
Ad eundum quo no duck ante iit

#9 c23dr

c23dr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 January 2013 - 08:03 PM

725plc32
Adobe Flash Player 11 ActiveX
Adobe Reader XI
AOLIcon
ATI Control Panel
ATI Display Driver
Banctec Service Agreement
CCleaner
CinepPlayer 30 Update
Conexant D850 56K V.9x DFVc Modem
Corel Photo Album 6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Media Experience
Dell Support 3.1
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
ESET Online Scanner v3
Games, Music, & Photos Launcher
Get High Speed Internet!
Google Chrome
Google Update Helper
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
Internet Service Offers Launcher
Java 7 Update 10
Learn2 Player (Uninstall Only)
Malwarebytes Anti-Malware version 1.70.0.1100
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft Works
Modem Helper
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch® Jukebox
NetWaiting
NetZeroInstallers
Norton Internet Security
Print Workshop 2004 LE
QuickTime
RealPlayer Basic
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scrabble
SCRABBLE
Search Assist
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Sonic Activation Module
Sonic Update Manager
The Print Shop Premier Edition 5.0
Update for Windows XP (KB2345886)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973815)
URL Assistant
WildTangent Web Driver
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3

#10 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 03 January 2013 - 09:06 PM

Just realized i've never seen RogueKiller run on a system with Norton installed. I wonder if the "Hooks" it shows are just Norton. The related Gmer results seem to suggest that. No way to tell unless you uninstall it though, so if we don't locate any rootkits, we'll assume that's what is showing in the log. May be fewer problems remaining than expected.


Go to Start – Settings – Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel.

Get High Speed Internet! - Dell sales promo.
Search Assist - Dell installed search hijacker.
URL Assistant - Ditto.

-----------

And even though I suspect they've been run there, run a few scans now.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open and update Malwarebytes.

* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

---------------

Disable your antivirus program and click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file to run the scanner.

If you accept the Terms of Use, check the box and click Start. It will take a couple minutes for the scanner to get ready. When the Computer scan settings display shows, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Then click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

Click Start. This scan may take a while, so please be patient.

If infection is found, at the end of the scan click "List of found threats".

In that display, at the bottom, select the option to save the results as a text file, and save that to your desktop. Post that back here please.

Post that log and the Malwarebytes log please.
Ad eundum quo no duck ante iit

#11 c23dr

c23dr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 January 2013 - 10:27 PM

I removed those 3 programs in control panel, thanks. I'm very interested in cleaning up anything and everything we can for my Mom.

And as long as it's safe, I have no problem uninstalling Norton for the fixes. I can always reinstall it after we're clean.
Should be safe to do that right?

It still lags sometimes on boot-up and internet is slow, but it's getting better.

Let me know about Norton, I'm going to start those scans now. Thanks for all your help.






edited this post to include:
Scans are done, couldn't find a log for Eset but no threats were found.


Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.04.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Valarie :: D1VJGPB1 [administrator]

1/3/2013 9:30:16 PM
mbam-log-2013-01-03 (21-30-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236591
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by c23dr, 04 January 2013 - 12:33 AM.


#12 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 04 January 2013 - 05:58 PM

Clean. I suspect Norton involvement in some of the slowness there. Nature of the beast, especially with these all-inclusive antivirus programs that monitor absolutely everything. When the subscription runs out you may want to consider switching to a free, more light-weight antivirus version, such as MS Security Essentials.

I also don't doubt those are Norton tracks being picked up by scans, so don't feel there is any active infection left there.

Before we move on to steps to finish up here, post back on any problems we still need to correct please.
Ad eundum quo no duck ante iit

#13 c23dr

c23dr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 04 January 2013 - 08:44 PM

So glad we're clean thank you! Do you think the viruses accessed personal information while they were there? If there's any doubt about those 'hooks' I could uninstall Norton temporarily for another look if you think it would be worth it.

I was getting script errors when trying to update/install any Adobe programs, but I found an alternative download that didn't use that script and it worked fine.

My mother wants to know... how do these viruses benefit their creators, what is the point of messing up someone else's computer?

#14 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 04 January 2013 - 09:35 PM

The hooks are fine.

I was getting script errors when trying to update/install any Adobe programs, but I found an alternative download that didn't use that script and it worked fine.


That suggests things aren't quite just right there. Before we close out here, let's check that.

In answer to your Mother's question:
1 - When you click on an ad on a web page, the owner of that web page gets paid a small amount for that click from the advertiser. So I install a hidden program on your computer that generates fake clicks on ads, with the payments being sent to me.
2 - Spam emails come from infected computers.
3 - I use your computer to infect other computers.
4 - I load your computer with fake scans that demand payment.

And much more.

----------

Go here and download and run the Flash Player uninstall tool, then reboot.

Then go here and reinstall Flash Player, as per the site's steps. Be sure to uncheck whatever else is offered with the download (like that useless McAfee scanner).

Just see if that all goes correctly.
Ad eundum quo no duck ante iit

#15 c23dr

c23dr
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 05 January 2013 - 09:14 PM

Thanks for the info! And thanks for addressing this Adobe problem.

I uninstalled FlashPlayer using the link you gave me. Went fine. Then I used your link for the FlashPlayer website. The website froze, but finally loaded so I followed the prompts to install. It downloaded fine to the desktop, then I ran it to install FlashPlayer. But before actually installing there's the screen where you choose Update preferences, I chose "notify me" and when I clicked "Next" this pop up immediately came up.

Line: 1
Char: 10823
Error: 'ActionGtbCheck' is undefined
Code: 0
URL: http://127.0.0.1:1091/app/_js/adobe.js

Do you want to continue running scripts on this page?
<---no matter how I answer this, the install stays frozen.



This error is a bit different than the ones I was getting before, they said something about 'object expected' and it was happening on Adobe Reader as well.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users