PDA

View Full Version : Problem with Redirect bug and windows update.



ARCHellraiser
2011-01-01, 09:42
Happy New Year To the Spy_bot Team,
Seems I have been bitten by the "Redirect Bug' and
I cannot start my windows update it gives me this message
Internet Explorer cannot display the webpage
and gives me the Network diagnostics tool and there were no problems
found. I have tried several thing that was suggested by other web sites
with no luck. So back to the trusted Malware Team At S&D..Ken545 has helped
me out the last 2 time over the yeas and has always been successful.

So can we get rid of the bugs with a fresh shot of Penicillin.!!??

As instructed created back up using ERUNT and ran a DDS log see below.

Thanks

HR


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 2:21:02.67 on Sat 01/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.586 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOWNLOADS\DOwnloads Firefox\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Gadwin PrintScreen] "c:\program files\gadwin systems\printscreen\PrintScreen.exe" /nosplash
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{06b2b442-19fe-4398-bd4b-f5c00928dd8e}\_18be6784.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269188900343
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269188890109
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\hd0rjl1v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [2003-5-7 26679]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [2010-3-30 22272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2001-10-4 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-5-27 187392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-14 54752]
R2 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2002-12-13 64000]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-5-1 6016]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2010-3-30 14856]

=============== Created Last 30 ================


==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-00MSA1 rev.10.01E01 -> Harddisk0\DR0 -> \Device\0000008e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86E97EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x850f3872; SUB DWORD [EBP-0x4], 0x850f312e; PUSH EDI; CALL

0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F30AB8]
3 CLASSPNP[0xF74C7FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000075[0x86F21F18]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86F6B030]
[0x86E3F498] -> IRP_MJ_CREATE -> 0x86E97EC5
error: Read The process cannot access the file because it is being used by another process.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP

MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000074 ->

\??\IDE#DiskWDC_WD800JD-00MSA1______________________10.01E01#2020202057202D4443574D415039313735373832#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device

not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 2:22:47.39 ===============

ken545
2011-01-04, 03:11
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Your infected with a Rootkit


Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract the file and run it.
Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
Please post the content of the TDSSKiller log

ARCHellraiser
2011-01-05, 04:16
Thank you for for your help..

As instructed ran TDSSKiller log below

2011/01/04 21:07:27.0531 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/04 21:07:27.0531 ================================================================================
2011/01/04 21:07:27.0531 SystemInfo:
2011/01/04 21:07:27.0531
2011/01/04 21:07:27.0531 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/04 21:07:27.0531 Product type: Workstation
2011/01/04 21:07:27.0531 ComputerName: ED-MASTER
2011/01/04 21:07:27.0531 UserName: Administrator
2011/01/04 21:07:27.0531 Windows directory: C:\WINDOWS
2011/01/04 21:07:27.0531 System windows directory: C:\WINDOWS
2011/01/04 21:07:27.0531 Processor architecture: Intel x86
2011/01/04 21:07:27.0531 Number of processors: 1
2011/01/04 21:07:27.0531 Page size: 0x1000
2011/01/04 21:07:27.0531 Boot type: Normal boot
2011/01/04 21:07:27.0531 ================================================================================
2011/01/04 21:07:27.0843 Initialize success
2011/01/04 21:07:32.0078 ================================================================================
2011/01/04 21:07:32.0078 Scan started
2011/01/04 21:07:32.0078 Mode: Manual;
2011/01/04 21:07:32.0078 ================================================================================
2011/01/04 21:07:32.0453 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/04 21:07:32.0515 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/04 21:07:32.0578 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/04 21:07:32.0656 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/04 21:07:32.0937 ALCXWDM (dd8520280304b6145a6be31008748c7c) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/01/04 21:07:33.0171 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/01/04 21:07:33.0234 amdtools (e3d265cf73fee89fe23d541cf5df1408) C:\WINDOWS\system32\DRIVERS\amdtools.sys
2011/01/04 21:07:33.0296 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/04 21:07:33.0343 ASAPIW2K (875f9079cabee679d34b49e466b61701) C:\WINDOWS\system32\Drivers\ASAPIW2K.sys
2011/01/04 21:07:33.0453 Aspi32 (20d04091eba710f6988f710507d85868) C:\WINDOWS\system32\drivers\Aspi32.sys
2011/01/04 21:07:33.0500 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/04 21:07:33.0531 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
2011/01/04 21:07:33.0750 ati2mtag (c51608bba3248be2f6d21b132910752a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/04 21:07:33.0984 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/04 21:07:34.0062 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/04 21:07:34.0078 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/04 21:07:34.0125 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/04 21:07:34.0171 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/04 21:07:34.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/04 21:07:34.0265 cdrdrv (a438e08fc07fe75326250b0b707df8ed) C:\WINDOWS\system32\Drivers\Cdrdrv.sys
2011/01/04 21:07:34.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/04 21:07:34.0437 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/01/04 21:07:34.0515 CVPNDRVA (d46b2e0eeaf349f2085f8b164e462156) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2011/01/04 21:07:34.0578 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/04 21:07:34.0640 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/04 21:07:34.0750 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/04 21:07:34.0765 dmload (d3f239674d3bcdaa301f3fadf0684b41) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/04 21:07:34.0765 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmload.sys. Real md5: d3f239674d3bcdaa301f3fadf0684b41, Fake md5: e9317282a63ca4d188c0df5e09c6ac5f
2011/01/04 21:07:34.0765 dmload - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/01/04 21:07:34.0812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/04 21:07:34.0843 DNE (694616f813fb627a32c9e32dec133078) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/01/04 21:07:34.0937 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/04 21:07:34.0968 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/04 21:07:35.0046 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/04 21:07:35.0078 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/04 21:07:35.0093 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/04 21:07:35.0140 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/04 21:07:35.0203 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/01/04 21:07:35.0296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/04 21:07:35.0328 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/04 21:07:35.0406 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/04 21:07:35.0437 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/04 21:07:35.0531 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/04 21:07:35.0609 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/04 21:07:35.0625 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/04 21:07:35.0703 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/04 21:07:35.0750 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/04 21:07:35.0796 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/04 21:07:35.0843 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/04 21:07:35.0875 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/04 21:07:35.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/04 21:07:35.0937 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/04 21:07:35.0968 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/04 21:07:35.0984 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/04 21:07:36.0031 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/04 21:07:36.0062 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/04 21:07:36.0109 L8042pr2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
2011/01/04 21:07:36.0187 LGBusEnum (170e7093a77ad586f3a012a3db651d94) C:\WINDOWS\system32\drivers\LGBusEnum.sys
2011/01/04 21:07:36.0234 LGVirHid (d2dd04d1c8df65eecd1f2c7fb947d43e) C:\WINDOWS\system32\drivers\LGVirHid.sys
2011/01/04 21:07:36.0265 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
2011/01/04 21:07:36.0328 MarvinBus (a3e700d78eec390f1208098cdca5c6b6) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
2011/01/04 21:07:36.0390 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/04 21:07:36.0453 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/04 21:07:36.0484 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/04 21:07:36.0546 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/04 21:07:36.0562 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/04 21:07:36.0625 MQAC (eee50bf24caeedb515a8f3b22756d3bb) C:\WINDOWS\system32\drivers\mqac.sys
2011/01/04 21:07:36.0765 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/04 21:07:36.0890 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/04 21:07:36.0953 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/04 21:07:36.0984 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/04 21:07:37.0015 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/04 21:07:37.0046 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/04 21:07:37.0078 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/04 21:07:37.0093 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/04 21:07:37.0125 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/04 21:07:37.0156 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/04 21:07:37.0171 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/04 21:07:37.0203 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/04 21:07:37.0250 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/04 21:07:37.0265 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/04 21:07:37.0296 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/04 21:07:37.0359 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/04 21:07:37.0375 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/04 21:07:37.0437 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/04 21:07:37.0562 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/04 21:07:37.0578 nvata (dce353985c988bfb7e84fd942068151f) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/01/04 21:07:37.0625 nvatabus (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
2011/01/04 21:07:37.0687 nvax (fb8595ef3ceb81f0da3f6f211b2df932) C:\WINDOWS\system32\drivers\nvax.sys
2011/01/04 21:07:37.0765 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/01/04 21:07:37.0828 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/01/04 21:07:37.0890 nvnforce (d2315cd3053fc3b4250dc2dbd0ac49e4) C:\WINDOWS\system32\drivers\nvapu.sys
2011/01/04 21:07:37.0953 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/04 21:07:37.0968 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/04 21:07:38.0000 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/04 21:07:38.0046 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/01/04 21:07:38.0078 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/04 21:07:38.0109 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/04 21:07:38.0140 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/04 21:07:38.0203 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/04 21:07:38.0359 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/04 21:07:38.0406 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/04 21:07:38.0437 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/04 21:07:38.0515 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/04 21:07:38.0640 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/04 21:07:38.0687 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/04 21:07:38.0703 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/04 21:07:38.0734 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/04 21:07:38.0750 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/04 21:07:38.0781 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/04 21:07:38.0812 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/04 21:07:38.0906 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/04 21:07:38.0968 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/04 21:07:39.0031 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
2011/01/04 21:07:39.0187 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/01/04 21:07:39.0234 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/01/04 21:07:39.0296 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/04 21:07:39.0375 Sentinel (aebba7428a6c40cce3c5abde45190b24) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2011/01/04 21:07:39.0421 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/04 21:07:39.0453 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/04 21:07:39.0500 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/04 21:07:39.0593 SNTNLUSB (a1ff7d99b199cea1f3df371ba70d2780) C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
2011/01/04 21:07:39.0640 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/04 21:07:39.0718 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/04 21:07:39.0781 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/04 21:07:39.0812 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/04 21:07:39.0875 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/04 21:07:40.0000 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/04 21:07:40.0078 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/04 21:07:40.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/04 21:07:40.0171 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/04 21:07:40.0203 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/04 21:07:40.0265 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/04 21:07:40.0359 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/04 21:07:40.0484 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/04 21:07:40.0515 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/04 21:07:40.0531 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/04 21:07:40.0562 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/04 21:07:40.0593 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/04 21:07:40.0609 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/04 21:07:40.0625 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/04 21:07:40.0687 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/04 21:07:40.0828 vnccom (b67632451f760797bb183e1fb99f4b39) C:\WINDOWS\system32\Drivers\vnccom.SYS
2011/01/04 21:07:40.0859 vncdrv (4ec979b157d1aa075330362acb5424e5) C:\WINDOWS\system32\DRIVERS\vncdrv.sys
2011/01/04 21:07:40.0921 vobcom (705c36bc6e13fdb304486898d6d8512b) C:\WINDOWS\system32\drivers\vobcom.sys
2011/01/04 21:07:40.0968 VOBID (f84b097791fb0536e2bb19c13a04371c) C:\WINDOWS\system32\DRIVERS\vobid.sys
2011/01/04 21:07:41.0015 vobiw (8283c485d8daffc8cd3e6b4ba3ed7db2) C:\WINDOWS\system32\drivers\vobiw.sys
2011/01/04 21:07:41.0046 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/04 21:07:41.0093 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys
2011/01/04 21:07:41.0218 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/04 21:07:41.0281 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/04 21:07:41.0390 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/04 21:07:41.0421 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/04 21:07:41.0578 ================================================================================
2011/01/04 21:07:41.0578 Scan finished
2011/01/04 21:07:41.0578 ================================================================================
2011/01/04 21:07:41.0593 Detected object count: 1
2011/01/04 21:08:13.0343 dmload (d3f239674d3bcdaa301f3fadf0684b41) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/04 21:08:13.0343 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmload.sys. Real md5: d3f239674d3bcdaa301f3fadf0684b41, Fake md5: e9317282a63ca4d188c0df5e09c6ac5f
2011/01/04 21:08:14.0796 Backup copy found, using it..
2011/01/04 21:08:14.0796 C:\WINDOWS\system32\drivers\dmload.sys - will be cured after reboot
2011/01/04 21:08:14.0796 Rootkit.Win32.TDSS.tdl3(dmload) - User select action: Cure
2011/01/04 21:08:54.0921 Deinitialize success



HR

ken545
2011-01-05, 11:03
The file that was infected and replaced was a disk manager, make sure you rebooted your computer for the cure to take effect.

There may be more to remove.

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ARCHellraiser
2011-01-05, 14:28
as instructed:

ComboFix 11-01-04.04 - Administrator 01/05/2011 7:16.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.659 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-05 02:09 . 2002-08-29 12:00 5888 ----a-w- c:\windows\system32\drivers\dmload.sys
2010-12-20 23:09 . 2009-09-22 10:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-09-22 10:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 57344]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Broadband Networking.lnk - c:\windows\Installer\{06B2B442-19FE-4398-BD4B-F5C00928DD8E}\_18be6784.exe [2010-3-29 25214]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Registration-INSDVD.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Registration-INSDVD.lnk
backup=c:\windows\pss\Registration-INSDVD.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=c:\windows\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadwin PrintScreen]
2008-12-09 11:08 495616 ----a-w- c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IW ControlCenter]
2003-03-12 15:56 836096 ----a-w- c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2010-02-18 16:24 1573448 ----a-w- c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
2010-02-18 16:47 3203144 ----a-w- c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LgDeviceAgent]
2010-02-18 16:49 357448 ----a-w- c:\program files\Logitech\GamePanel Software\LGDevAgt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-17 13:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2003-05-28 20:37 394240 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2003-05-28 20:37 394240 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2009-10-16 00:49 913412 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shicoxp]
2003-10-13 13:05 45056 ----a-w- c:\windows\shicoxp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-09-30 03:13 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-12-22 04:18 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VOBID]
2003-03-31 21:59 147968 ----a-w- c:\program files\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
2006-06-18 19:56 712704 ----a-w- c:\program files\UltraVNC\winvnc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2Serv.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\lithtech.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Fox\\Aliens vs. Predator 2\\AVP2TFServ.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator demo\\AvP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys [5/7/2003 3:36 PM 26679]
R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [3/30/2010 9:02 PM 22272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [10/4/2001 10:53 AM 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [5/27/2003 11:12 AM 187392]
R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [12/13/2002 5:33 PM 64000]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 4:37 PM 19720]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [5/1/2007 7:44 AM 6016]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [3/30/2010 8:41 PM 14856]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 07:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-436374069-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,55,8b,2b,95,34,19,45,88,45,83,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,55,8b,2b,95,34,19,45,88,45,83,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3880)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-01-05 07:23:34
ComboFix-quarantined-files.txt 2011-01-05 12:23

Pre-Run: 2,861,146,112 bytes free
Post-Run: 2,979,241,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 27CACE5FA0A335D8BD9B0221C48CE05C


Thanks

HR

ken545
2011-01-05, 15:12
Lets see if there is anything more to remove

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please





Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

ARCHellraiser
2011-01-06, 05:48
Evening Ken,
FYI I have loaded on my system:

Spybot S&D (teatimer disabled)
Malwarebytes
Spyblaster
SUPERantiSpyware
Have ERUNT running also

As a Sunday Morning thing over coffee I update and run all
and to end it I run ESET on line scanner.. been doing this since our last
encounter and have been pretty safe.. at the end any suggestions to
change or update or change in line up will be accepted galdly.

Thanks
HR

Malware Log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5466

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/5/2011 10:01:20 PM
mbam-log-2011-01-05 (22-01-20).txt

Scan type: Quick scan
Objects scanned: 158032
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL.Txt

OTL logfile created on: 1/5/2011 10:25:13 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 641.00 Mb Available Physical Memory | 63.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 3072

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 2.84 Gb Free Space | 3.81% Space Free | Partition Type: NTFS

Computer Name: ED-MASTER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp.)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
PRC - C:\Program Files\UltraVNC\winvnc.exe (UltraVNC)
PRC - C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)


========== Win32 Services (SafeList) ==========

SRV - (fsssvc) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp.)
SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (winvnc) -- C:\Program Files\UltraVNC\winvnc.exe (UltraVNC)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (LGVirHid) -- C:\WINDOWS\system32\drivers\LGVirHid.sys (Logitech Inc.)
DRV - (LGBusEnum) -- C:\WINDOWS\system32\drivers\LGBusEnum.sys (Logitech Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (amdtools) -- C:\WINDOWS\system32\drivers\amdtools.sys (AMD, Inc.)
DRV - (nvatabus) -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys (NVIDIA Corporation)
DRV - (MarvinBus) -- C:\WINDOWS\system32\drivers\MarvinBus.sys (Pinnacle Systems GmbH)
DRV - (nvata) -- C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)
DRV - (nvnforce) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nvax) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (vnccom) -- C:\WINDOWS\system32\drivers\vnccom.SYS (RDV Soft)
DRV - (vncdrv) -- C:\WINDOWS\system32\drivers\vncdrv.sys (RDV Soft)
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys (Logitech, Inc.)
DRV - (L8042pr2) -- C:\WINDOWS\system32\drivers\L8042pr2.Sys (Logitech, Inc.)
DRV - (vobiw) -- C:\WINDOWS\System32\drivers\vobIW.sys (VOB Computersysteme GmbH)
DRV - (VOBID) -- C:\WINDOWS\system32\DRIVERS\vobid.sys (Pinnacle Systems)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (Rainbow Technologies, Inc.)
DRV - (SNTNLUSB) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS (Rainbow Technologies Inc.)
DRV - (cdrdrv) -- C:\WINDOWS\system32\drivers\Cdrdrv.sys (VOB Computersysteme GmbH)
DRV - (ASAPIW2K) -- C:\WINDOWS\system32\drivers\asapiW2k.sys (VOB Computersysteme GmbH)
DRV - (vobcom) -- C:\WINDOWS\System32\drivers\vobcom.sys (VOB Computersysteme GmbH)
DRV - (Aspi32) -- C:\WINDOWS\System32\drivers\aspi32.sys (Adaptec)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-i3752"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-i3752"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/09 06:15:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/02 18:19:10 | 000,000,000 | ---D | M]

[2009/08/29 10:12:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/10/31 10:26:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions
[2009/08/29 10:13:39 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/26 21:05:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions\browserhighlighter@ebay.com
[2010/10/31 10:26:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/24 12:00:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/21 08:03:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/31 09:56:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/04/24 12:00:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/01/02 19:21:04 | 000,427,666 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14750 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Lexmark X1100 Series] C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk = C:\WINDOWS\Installer\{06B2B442-19FE-4398-BD4B-F5C00928DD8E}\_18be6784.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKCU\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269188900343 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269188890109 (MUWebControl Class)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab (NVIDIA Smart Scan)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/30 14:35:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/29 10:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads
[2011/01/05 22:09:22 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/01/05 07:12:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/05 07:08:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/05 07:08:25 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/05 07:08:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/05 07:08:25 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/05 07:07:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/04 21:06:12 | 001,345,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/05 22:11:29 | 004,148,657 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/01/05 22:09:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/01/05 21:50:41 | 000,002,355 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
[2011/01/05 21:50:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/05 07:12:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/01/04 20:11:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/03 18:55:06 | 000,000,074 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Problem with Redirect bug and windows update. - Safer-Networking Forums.URL
[2011/01/02 19:21:04 | 000,427,666 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/01/02 18:19:11 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2011/01/02 17:53:32 | 000,454,652 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/02 17:53:32 | 000,075,338 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/01 12:26:16 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Log In.url
[2011/01/01 02:30:48 | 000,003,436 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Attach.zip
[2011/01/01 02:29:07 | 000,076,288 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\UNLESS SPECIFICALLY INSTRUCTED.doc
[2011/01/01 02:23:48 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Word.lnk
[2010/12/30 09:24:14 | 000,002,433 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\VPN Client.lnk
[2010/12/28 06:18:34 | 000,000,611 | ---- | M] () -- C:\WINDOWS\lexstat.ini
[2010/12/28 04:54:46 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-25-10 payroll end 12-25-10.xls
[2010/12/28 04:52:28 | 000,002,471 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Excel.lnk
[2010/12/27 23:33:57 | 000,014,336 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Lafrance Expense.xls
[2010/12/26 21:44:58 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/26 15:47:19 | 000,000,281 | ---- | M] () -- C:\Boot.bak
[2010/12/24 17:09:20 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/23 19:24:28 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Bruschetta with Tomato and Basil Recipe.doc
[2010/12/22 23:22:43 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/12/22 23:22:43 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/22 23:20:42 | 000,427,606 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20060102-165400.backup
[2010/12/22 04:47:45 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-18-10 payroll end 12-25-10.xls
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/16 09:47:52 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/12/15 23:52:20 | 019,820,886 | R--- | M] () -- C:\Documents and Settings\Administrator\My Documents\JibJab_Order_3174369_Movie.mp4
[2010/12/14 10:10:55 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-11-10 payroll end 12-11-10.xls
[2010/12/12 11:01:21 | 000,426,196 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101222-232042.backup
[2010/12/11 09:21:16 | 000,002,217 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/12/08 23:26:45 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Children who talk back or argued with your elders got in trouble.doc
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/05 07:08:25 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/05 07:08:25 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/05 07:08:25 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/05 07:04:20 | 004,148,657 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/01/03 18:55:06 | 000,000,074 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Problem with Redirect bug and windows update. - Safer-Networking Forums.URL
[2011/01/02 18:19:11 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2011/01/01 12:26:05 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Log In.url
[2011/01/01 02:30:48 | 000,003,436 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Attach.zip
[2011/01/01 02:29:07 | 000,076,288 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\UNLESS SPECIFICALLY INSTRUCTED.doc
[2010/12/28 04:54:46 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-25-10 payroll end 12-25-10.xls
[2010/12/27 23:32:24 | 000,014,336 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Lafrance Expense.xls
[2010/12/24 17:07:15 | 056,937,350 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Tree 2010.MOV
[2010/12/23 19:24:27 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Bruschetta with Tomato and Basil Recipe.doc
[2010/12/22 23:22:43 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/22 04:47:45 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-18-10 payroll end 12-25-10.xls
[2010/12/15 23:55:18 | 019,820,886 | R--- | C] () -- C:\Documents and Settings\Administrator\My Documents\JibJab_Order_3174369_Movie.mp4
[2010/12/14 10:10:54 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-11-10 payroll end 12-11-10.xls
[2010/12/08 23:26:45 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Children who talk back or argued with your elders got in trouble.doc
[2010/07/09 14:04:40 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/05/22 14:25:25 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2010/04/18 00:20:23 | 000,000,797 | ---- | C] () -- C:\WINDOWS\PSTUDIO.INI
[2010/04/18 00:19:41 | 000,206,336 | ---- | C] () -- C:\WINDOWS\PCDLIB32.DLL
[2010/03/27 12:56:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\LCDMedia.INI
[2010/03/26 20:30:23 | 000,076,407 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Smiley.ico
[2010/02/14 12:00:28 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2010/02/14 11:21:32 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2009/12/24 21:57:18 | 000,005,052 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xqkcebzs.dik
[2009/10/18 10:14:12 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2009/10/18 10:14:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Graffiti5.2Pin.ini
[2009/09/07 22:32:37 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2009/09/03 22:20:53 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/27 19:23:34 | 000,138,240 | ---- | C] () -- C:\WINDOWS\System32\Viasetup.dll
[2009/08/18 22:54:58 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/08/14 14:40:01 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/08/14 01:16:18 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/08/14 01:16:18 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/01/29 12:54:16 | 000,004,819 | ---- | C] () -- C:\WINDOWS\PlainEnglish.INI
[2009/01/29 12:49:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CmdLine.INI
[2009/01/28 18:12:56 | 000,002,473 | ---- | C] () -- C:\WINDOWS\PINPOINT.INI
[2009/01/28 15:19:31 | 000,806,912 | ---- | C] () -- C:\WINDOWS\System32\rvctl.dll
[2009/01/13 11:29:00 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2009/01/13 11:28:44 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/10/15 17:54:36 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\ASPRTMM0.DLL
[2008/02/08 16:13:44 | 000,319,488 | ---- | C] () -- C:\WINDOWS\System32\LS3Renderer.dll
[2007/05/14 10:13:20 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\rview.dll
[2007/05/03 17:30:24 | 000,000,369 | ---- | C] () -- C:\WINDOWS\ListView.INI
[2007/05/01 08:47:55 | 000,000,080 | ---- | C] () -- C:\WINDOWS\Continuum.INI
[2007/05/01 08:18:32 | 000,000,565 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/01 08:06:45 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[2007/05/01 08:06:44 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2007/05/01 08:06:41 | 000,145,408 | ---- | C] () -- C:\WINDOWS\System32\Bclw32.dll
[2007/04/30 08:26:48 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/01/02 08:54:37 | 000,000,611 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/01/02 08:54:26 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbkvs.dll
[2006/01/02 08:54:25 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBKLCNP.DLL
[2006/01/02 08:54:14 | 000,000,266 | ---- | C] () -- C:\WINDOWS\System32\lxbkcoin.ini
[2002/02/27 16:28:16 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2002/02/27 16:28:16 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2002/02/27 16:28:14 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2002/02/27 16:28:14 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2002/02/27 16:28:14 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL

========== LOP Check ==========

[2009/08/18 22:12:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Blitware
[2010/04/15 19:33:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Facebook
[2009/08/09 05:30:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
[2010/02/19 22:14:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
[2009/10/18 10:14:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\proDAD
[2009/12/02 22:54:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Radmin
[2009/10/15 19:57:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Recordpad
[2006/01/02 08:56:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/10/15 19:49:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/08/09 05:30:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2009/10/18 09:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2009/10/18 09:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Plus
[2009/10/18 10:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Ultimate
[2009/10/18 09:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Studio 12
[2007/05/01 08:47:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TAC
[2011/01/05 07:07:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

[B]Extras.Txt

OTL Extras logfile created on: 1/5/2011 10:25:13 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 641.00 Mb Available Physical Memory | 63.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 2.84 Gb Free Space | 3.81% Space Free | Partition Type: NTFS

Computer Name: ED-MASTER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Xfire\Xfire.exe" = C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire -- (Xfire Inc.)
"C:\Program Files\Fox\Aliens vs. Predator 2\AVP2Serv.exe" = C:\Program Files\Fox\Aliens vs. Predator 2\AVP2Serv.exe:*:Enabled:AVP2 Stand-Alone Server -- (Monolith Productions Inc.)
"C:\Program Files\Fox\Aliens vs. Predator 2\lithtech.exe" = C:\Program Files\Fox\Aliens vs. Predator 2\lithtech.exe:*:Enabled:Client -- ()
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Fox\Aliens vs. Predator 2\AVP2TFServ.exe" = C:\Program Files\Fox\Aliens vs. Predator 2\AVP2TFServ.exe:*:Enabled:AVP2 Stand-Alone Server -- (Monolith Productions Inc.)
"C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe" = C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe:*:Enabled:Render Manager -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe" = C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe:*:Enabled:Studio -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe" = C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe:*:Enabled:umi -- (Pinnacle Systems)
"C:\Program Files\Steam\steamapps\common\aliens vs predator demo\AvP.exe" = C:\Program Files\Steam\steamapps\common\aliens vs predator demo\AvP.exe:*:Enabled:Aliens vs Predator Demo -- (Sega Europe Limited)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{06053AB3-B607-B752-3252-4A2EA9E9761E}" = CCC Help Dutch
"{06B2B442-19FE-4398-BD4B-F5C00928DD8E}" = Microsoft Broadband Networking
"{0B4A8658-43F1-50CA-AF30-C67E3AE2C9ED}" = CCC Help Greek
"{0CC61470-D776-2353-D5CB-C7BC20204863}" = CCC Help Finnish
"{109945A8-D8D5-48B8-B4A5-195D3F99B56D}" = Logitech GamePanel Software 3.04.143
"{12655AB3-9285-A2F0-5BBC-C5C45E4D718C}" = CCC Help Czech
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = PowerStarter
"{1FF713E1-FE5E-4AD0-9C8C-B2E877846B45}" = Catalyst Control Center - Branding
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24700C01-3A72-29D4-001B-6EE6BF71EB5E}" = CCC Help Korean
"{26262388-95BF-58B0-CD46-A8F957BB67BF}" = Catalyst Control Center Graphics Full Existing
"{262BF2CD-601D-4F43-919C-4B00B1D1F338}" = Boris Graffiti
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 22
"{329376FB-FB6C-C587-F483-07E3418456F5}" = ccc-utility
"{33A38A8B-9E1E-BCBB-EA87-CE797EC75080}" = CCC Help Chinese Traditional
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35343FF7-939B-401A-87B3-FF90A5123D88}" = Microsoft XML Parser and SDK
"{369EEB32-64D1-F22A-1B2C-A3E81582E767}" = CCC Help Japanese
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3EF79591-BF16-4CF8-8FF0-D8AD968228B1}" = Aliens vs. Predator 2
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FCD8F30-057D-C96F-AEF4-B0D77DE9730C}" = CCC Help Portuguese
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{46605BDE-7F82-DB0F-7906-3279A7E639BE}" = Catalyst Control Center Localization All
"{480A8E00-D808-7D79-977B-CEBBB3BEB409}" = CCC Help French
"{48C7FD10-D6AD-8EE0-2E8E-0480C4EEB1BD}" = Catalyst Control Center HydraVision Full
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5081528F-5DD5-49BA-8213-9A6A13502497}" = Sentinel System Driver 5.41.1 (32-bit)
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1
"{5CA7ABC3-5F89-3A1D-A113-046EA4C7FCEB}" = ccc-core-static
"{5EB90C06-964F-4195-B83E-BD7E55C88415}" = Pinnacle Video Driver
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68E1BAC6-F79F-43C4-AF03-A89F53F748D3}" = Microsoft XML Parser
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F77AD48-BA04-F868-2D04-FC1BFF5E00BA}" = Catalyst Control Center Graphics Light
"{75F9640C-DE21-40AF-92E2-06DFD821C7EE}" = TAC Video Layout Control
"{788907C5-C83B-9785-A1F0-67050017324E}" = CCC Help Spanish
"{7F5F1767-88C6-CBFC-5DD3-D853343FD5AE}" = CCC Help German
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84DE3702-3262-BE38-27E8-5ED423D803C6}" = CCC Help Chinese Standard
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{87F54A80-158E-436C-9B09-FFFD27F81BD4}" = Community Clips from Microsoft Office Labs
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{95053B5A-42E0-830E-85BD-733FAFC28BA7}" = ccc-core-preinstall
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9B40D533-4F38-893D-EE5A-17226104BBC2}" = Skins
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{9E78C42C-4FF9-4F41-BBC4-BF872606E79D}_is1" = Driver Robot 1.1.0.13
"{A08CB73B-5DEA-185D-5D98-2230004D75ED}" = CCC Help Danish
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A22D91C3-E7BD-CBEE-7CDC-DE4C42FA27B7}" = CCC Help Hungarian
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A8A7ACEF-A7AF-4129-9BC1-4F33A4C31EEC}" = Pinnacle InstantCD/DVD Suite
"{A8AD990E-355A-4413-8647-A9B168978423}_is1" = UltraVNC v1.0.2
"{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}" = Wizard101
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.5
"{AC76BA86-7AD7-2448-0000-800000000003}" = Chinese Traditional Fonts Support For Adobe Reader 8
"{AD0DD974-ADC2-8C10-DFA6-C1203A6E5106}" = CCC Help Polish
"{B014F739-B305-5319-D996-6612BD60ED74}" = CCC Help Swedish
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C570CAF4-D734-5412-C842-9AB150803074}" = Catalyst Control Center Core Implementation
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D01F5B2C-2776-6C46-441C-E819C08DF4FF}" = CCC Help Turkish
"{D041EB9E-890A-4098-8F94-51DA194AC72A}" = Pinnacle Studio 12
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{D1860E6E-520E-4380-8433-E58E8F88B473}" = Pinnacle Studio 12 Ultimate Plugins
"{D2FCA53F-F568-D08A-458F-F7C9769A30ED}" = CCC Help Norwegian
"{D5A9B7C0-8751-11D8-9D75-000129760D75}" = MediaShow 3.0
"{D5E4F342-4ED4-489E-B0EC-0391248FB774}" = ATECH FLASH PRO-9
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D89B70AB-CF91-36A4-8658-FACA3AF6A654}" = Catalyst Control Center Graphics Previews Common
"{DF1274DC-02D4-B2D7-6197-5D24E1EF84B1}" = CCC Help Thai
"{E000D42E-5842-20A6-EEB1-6DED8C2746C5}" = CCC Help Italian
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E7679B31-21F5-4AAE-1620-0DFACF702325}" = Catalyst Control Center Graphics Full New
"{EC4899D2-9915-4603-ABEE-8B15CACE2888}" = AMD LCD Keyboard Applet
"{EC6CD724-3D9F-11D5-80D7-00104BD1A098}" = Continuum
"{EEAA3E5E-1296-45AD-A59E-5D63F604867D}" = Radmin Viewer 3.3
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}" = Cisco Systems VPN Client 5.0.05.0290
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F83491F9-7CDF-46A7-9994-9E002CE5CE75}" = CCC Help Russian
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FDE409B1-1FF3-DC39-083E-C0F4ED496D5E}" = CCC Help English
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0.1" = Adobe Photoshop 7.0.1
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"CustomShortMaker_is1" = CustomShortMaker 1.0.3a
"EPISUITE SDK 5.1" = EPISUITE SDK Redistribution
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"ExpressBurn" = Express Burn
"ExpressRip" = Express Rip
"Fraps" = Fraps (remove only)
"Gadwin PrintScreen" = Gadwin PrintScreen
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"jZip" = jZip
"Lexmark X1100 Series" = Lexmark X1100 Series
"Magic Bullet Looks Studio" = Magic Bullet Looks Studio
"Magic ISO Maker v5.5 (build 0276)" = Magic ISO Maker v5.5 (build 0276)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MixPad" = MixPad Audio Mixer
"Mozilla Firefox (3.6.11)" = Mozilla Firefox (3.6.11)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NVIDIA Drivers" = NVIDIA Drivers
"proDAD-Vitascene-1.0" = proDAD Vitascene 1.0
"Recordpad" = RecordPad Sound Recorder
"SpywareBlaster_is1" = SpywareBlaster 4.4
"Steam App 34200" = Aliens vs Predator Demo
"Switch" = Switch Sound File Converter
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"WavePad" = WavePad Sound Editor
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/2/2011 7:02:34 PM | Computer Name = ED-MASTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 1/2/2011 7:02:34 PM | Computer Name = ED-MASTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/2/2011 7:38:00 PM | Computer Name = ED-MASTER | Source = MSDTC | ID = 4404
Description = MS DTC Tracing infrastructure : the initialization of the tracing
infrastructure failed. Internal Information : msdtc_trace : File: d:\comxp_sp3\com\com1x\dtc\dtc\trace\src\tracelib.cpp,
Line: 1115, StartTrace Failed, hr=0x80070070

Error - 1/2/2011 7:51:08 PM | Computer Name = ED-MASTER | Source = MSDTC | ID = 4404
Description = MS DTC Tracing infrastructure : the initialization of the tracing
infrastructure failed. Internal Information : msdtc_trace : File: d:\comxp_sp3\com\com1x\dtc\dtc\trace\src\tracelib.cpp,
Line: 1115, StartTrace Failed, hr=0x80070070

Error - 1/3/2011 7:41:25 PM | Computer Name = ED-MASTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 1/3/2011 7:41:25 PM | Computer Name = ED-MASTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/4/2011 9:14:55 PM | Computer Name = ED-MASTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 1/4/2011 9:14:56 PM | Computer Name = ED-MASTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/4/2011 9:25:18 PM | Computer Name = ED-MASTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 1/4/2011 9:25:19 PM | Computer Name = ED-MASTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 12/8/2010 11:59:37 PM | Computer Name = ED-MASTER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/8/2010 11:59:37 PM | Computer Name = ED-MASTER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/8/2010 11:59:37 PM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 12/9/2010 12:01:59 AM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7022
Description = The Automatic Updates service hung on starting.

Error - 12/9/2010 6:48:12 AM | Computer Name = ED-MASTER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/9/2010 6:48:12 AM | Computer Name = ED-MASTER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/9/2010 6:48:20 AM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 12/9/2010 6:57:34 AM | Computer Name = ED-MASTER | Source = Service Control Manager | ID = 7001
Description = The vnccom service depends on the vncdrv service which failed to start
because of the following error: %%1058

Error - 12/9/2010 6:57:35 AM | Computer Name = ED-MASTER | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/9/2010 6:57:35 AM | Computer Name = ED-MASTER | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >

ken545
2011-01-06, 11:33
Good Morning,

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL



:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074
[2010/12/22 23:20:42 | 000,427,606 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20060102-165400.backup
[2010/12/12 11:01:21 | 000,426,196 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101222-232042.backup


:Services

:Reg

:Files


:Commands
[purity]
[emptytemp]
[RESETHOSTS]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

ARCHellraiser
2011-01-06, 14:27
as instructed:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\WINDOWS\system32\drivers\etc\hosts.20060102-165400.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20101222-232042.backup moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 2155 bytes
->Temporary Internet Files folder emptied: 5851308 bytes
->Java cache emptied: 54954405 bytes
->FireFox cache emptied: 228832664 bytes
->Flash cache emptied: 77336 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 802950 bytes
->Java cache emptied: 532 bytes
->Flash cache emptied: 12580 bytes

User: maint
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3195014 bytes
->Java cache emptied: 1626 bytes
->Flash cache emptied: 28287 bytes

User: roth
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 99840 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 40960 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1729 bytes

Total Files Cleaned = 280.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.20.1 log created on 01062011_071322

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



OTL logfile created on: 1/6/2011 7:17:17 AM - Run 2
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 607.00 Mb Available Physical Memory | 59.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 3.13 Gb Free Space | 4.19% Space Free | Partition Type: NTFS

Computer Name: ED-MASTER | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp.)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
PRC - C:\Program Files\UltraVNC\winvnc.exe (UltraVNC)
PRC - C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)


========== Win32 Services (SafeList) ==========

SRV - (fsssvc) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corp.)
SRV - (CVPND) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (winvnc) -- C:\Program Files\UltraVNC\winvnc.exe (UltraVNC)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (LGVirHid) -- C:\WINDOWS\system32\drivers\LGVirHid.sys (Logitech Inc.)
DRV - (LGBusEnum) -- C:\WINDOWS\system32\drivers\LGBusEnum.sys (Logitech Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs, LLC)
DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (amdtools) -- C:\WINDOWS\system32\drivers\amdtools.sys (AMD, Inc.)
DRV - (nvatabus) -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys (NVIDIA Corporation)
DRV - (MarvinBus) -- C:\WINDOWS\system32\drivers\MarvinBus.sys (Pinnacle Systems GmbH)
DRV - (nvata) -- C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)
DRV - (nvnforce) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nvax) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (vnccom) -- C:\WINDOWS\system32\drivers\vnccom.SYS (RDV Soft)
DRV - (vncdrv) -- C:\WINDOWS\system32\drivers\vncdrv.sys (RDV Soft)
DRV - (LMouFlt2) -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys (Logitech, Inc.)
DRV - (L8042pr2) -- C:\WINDOWS\system32\drivers\L8042pr2.Sys (Logitech, Inc.)
DRV - (vobiw) -- C:\WINDOWS\System32\drivers\vobIW.sys (VOB Computersysteme GmbH)
DRV - (VOBID) -- C:\WINDOWS\system32\DRIVERS\vobid.sys (Pinnacle Systems)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (Rainbow Technologies, Inc.)
DRV - (SNTNLUSB) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS (Rainbow Technologies Inc.)
DRV - (cdrdrv) -- C:\WINDOWS\system32\drivers\Cdrdrv.sys (VOB Computersysteme GmbH)
DRV - (ASAPIW2K) -- C:\WINDOWS\system32\drivers\asapiW2k.sys (VOB Computersysteme GmbH)
DRV - (vobcom) -- C:\WINDOWS\System32\drivers\vobcom.sys (VOB Computersysteme GmbH)
DRV - (Aspi32) -- C:\WINDOWS\System32\drivers\aspi32.sys (Adaptec)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-i3752"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-i3752"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/09 06:15:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/02 18:19:10 | 000,000,000 | ---D | M]

[2009/08/29 10:12:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/10/31 10:26:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions
[2009/08/29 10:13:39 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/26 21:05:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hd0rjl1v.default\extensions\browserhighlighter@ebay.com
[2010/10/31 10:26:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/24 12:00:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/21 08:03:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/31 09:56:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/04/24 12:00:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/01/06 07:13:52 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Lexmark X1100 Series] C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk = C:\WINDOWS\Installer\{06B2B442-19FE-4398-BD4B-F5C00928DD8E}\_18be6784.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKCU\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269188900343 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269188890109 (MUWebControl Class)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab (NVIDIA Smart Scan)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/30 14:35:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/29 10:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads
[2011/01/06 07:13:22 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/01/05 22:52:41 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/01/05 22:09:22 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/01/05 07:12:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/05 07:08:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/05 07:08:25 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/05 07:08:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/05 07:08:25 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/05 07:07:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/04 21:06:12 | 001,345,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe

========== Files - Modified Within 30 Days ==========

[2011/01/06 07:16:14 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\All processes killed.doc
[2011/01/06 07:15:58 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Word.lnk
[2011/01/06 07:14:58 | 000,002,355 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
[2011/01/06 07:14:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/06 07:13:52 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/01/06 04:22:31 | 000,000,611 | ---- | M] () -- C:\WINDOWS\lexstat.ini
[2011/01/06 04:21:04 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\week end 1-1-11 payroll end 1-8-11.xls
[2011/01/06 04:17:42 | 000,002,471 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Excel.lnk
[2011/01/05 22:11:29 | 004,148,657 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/01/05 22:09:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/01/05 07:12:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/01/04 20:11:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/03 18:55:06 | 000,000,074 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Problem with Redirect bug and windows update. - Safer-Networking Forums.URL
[2011/01/02 17:53:32 | 000,454,652 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/02 17:53:32 | 000,075,338 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/01 12:26:16 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Log In.url
[2011/01/01 02:30:48 | 000,003,436 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Attach.zip
[2011/01/01 02:29:07 | 000,076,288 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\UNLESS SPECIFICALLY INSTRUCTED.doc
[2010/12/30 09:24:14 | 000,002,433 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\VPN Client.lnk
[2010/12/28 04:54:46 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-25-10 payroll end 12-25-10.xls
[2010/12/27 23:33:57 | 000,014,336 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Lafrance Expense.xls
[2010/12/26 21:44:58 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/26 15:47:19 | 000,000,281 | ---- | M] () -- C:\Boot.bak
[2010/12/24 17:09:20 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/23 19:24:28 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Bruschetta with Tomato and Basil Recipe.doc
[2010/12/22 23:22:43 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/12/22 23:22:43 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/22 04:47:45 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-18-10 payroll end 12-25-10.xls
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/16 09:47:52 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/12/15 23:52:20 | 019,820,886 | R--- | M] () -- C:\Documents and Settings\Administrator\My Documents\JibJab_Order_3174369_Movie.mp4
[2010/12/14 10:10:55 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-11-10 payroll end 12-11-10.xls
[2010/12/11 09:21:16 | 000,002,217 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/12/08 23:26:45 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Children who talk back or argued with your elders got in trouble.doc

========== Files Created - No Company Name ==========

[2011/01/06 07:16:14 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\All processes killed.doc
[2011/01/06 04:21:04 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\week end 1-1-11 payroll end 1-8-11.xls
[2011/01/05 07:08:25 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/05 07:08:25 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/05 07:08:25 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/05 07:04:20 | 004,148,657 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2011/01/03 18:55:06 | 000,000,074 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Problem with Redirect bug and windows update. - Safer-Networking Forums.URL
[2011/01/01 12:26:05 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Log In.url
[2011/01/01 02:30:48 | 000,003,436 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Attach.zip
[2011/01/01 02:29:07 | 000,076,288 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\UNLESS SPECIFICALLY INSTRUCTED.doc
[2010/12/28 04:54:46 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-25-10 payroll end 12-25-10.xls
[2010/12/27 23:32:24 | 000,014,336 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Lafrance Expense.xls
[2010/12/24 17:07:15 | 056,937,350 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Tree 2010.MOV
[2010/12/23 19:24:27 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Bruschetta with Tomato and Basil Recipe.doc
[2010/12/22 23:22:43 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/22 04:47:45 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-18-10 payroll end 12-25-10.xls
[2010/12/15 23:55:18 | 019,820,886 | R--- | C] () -- C:\Documents and Settings\Administrator\My Documents\JibJab_Order_3174369_Movie.mp4
[2010/12/14 10:10:54 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\week end 12-11-10 payroll end 12-11-10.xls
[2010/12/08 23:26:45 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Children who talk back or argued with your elders got in trouble.doc
[2010/07/09 14:04:40 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/05/22 14:25:25 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2010/04/18 00:20:23 | 000,000,797 | ---- | C] () -- C:\WINDOWS\PSTUDIO.INI
[2010/04/18 00:19:41 | 000,206,336 | ---- | C] () -- C:\WINDOWS\PCDLIB32.DLL
[2010/03/27 12:56:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\LCDMedia.INI
[2010/03/26 20:30:23 | 000,076,407 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Smiley.ico
[2010/02/14 12:00:28 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2010/02/14 11:21:32 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2009/12/24 21:57:18 | 000,005,052 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xqkcebzs.dik
[2009/10/18 10:14:12 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll
[2009/10/18 10:14:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Graffiti5.2Pin.ini
[2009/09/07 22:32:37 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2009/09/03 22:20:53 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/27 19:23:34 | 000,138,240 | ---- | C] () -- C:\WINDOWS\System32\Viasetup.dll
[2009/08/18 22:54:58 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/08/14 14:40:01 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/08/14 01:16:18 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/08/14 01:16:18 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/01/29 12:54:16 | 000,004,819 | ---- | C] () -- C:\WINDOWS\PlainEnglish.INI
[2009/01/29 12:49:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CmdLine.INI
[2009/01/28 18:12:56 | 000,002,473 | ---- | C] () -- C:\WINDOWS\PINPOINT.INI
[2009/01/28 15:19:31 | 000,806,912 | ---- | C] () -- C:\WINDOWS\System32\rvctl.dll
[2009/01/13 11:29:00 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2009/01/13 11:28:44 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/10/15 17:54:36 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\ASPRTMM0.DLL
[2008/02/08 16:13:44 | 000,319,488 | ---- | C] () -- C:\WINDOWS\System32\LS3Renderer.dll
[2007/05/14 10:13:20 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\rview.dll
[2007/05/03 17:30:24 | 000,000,369 | ---- | C] () -- C:\WINDOWS\ListView.INI
[2007/05/01 08:47:55 | 000,000,080 | ---- | C] () -- C:\WINDOWS\Continuum.INI
[2007/05/01 08:18:32 | 000,000,565 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/01 08:06:45 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[2007/05/01 08:06:44 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2007/05/01 08:06:41 | 000,145,408 | ---- | C] () -- C:\WINDOWS\System32\Bclw32.dll
[2007/04/30 08:26:48 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/01/02 08:54:37 | 000,000,611 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/01/02 08:54:26 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbkvs.dll
[2006/01/02 08:54:25 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBKLCNP.DLL
[2006/01/02 08:54:14 | 000,000,266 | ---- | C] () -- C:\WINDOWS\System32\lxbkcoin.ini
[2002/02/27 16:28:16 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2002/02/27 16:28:16 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2002/02/27 16:28:14 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2002/02/27 16:28:14 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2002/02/27 16:28:14 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >


Thanks---> off to work
later
HR

ken545
2011-01-06, 19:07
:bigthumb:

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

ARCHellraiser
2011-01-07, 05:01
As Directed

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=f3f4ea1f6737e14998f3fee40a88c61c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2006-01-01 05:48:39
# local_time=2006-01-01 12:48:39 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=91293
# found=0
# cleaned=0
# scan_time=2694
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=f3f4ea1f6737e14998f3fee40a88c61c
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-01-07 02:26:02
# local_time=2011-01-06 09:26:02 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 24973708 24973708 0 0
# compatibility_mode=8192 67108863 100 0 40532493 40532493 0 0
# scanned=77735
# found=0
# cleaned=0
# scan_time=4845


thanks

HR

ken545
2011-01-07, 12:02
Looking good, any more problems ?

ARCHellraiser
2011-01-07, 13:31
Morning Ken, did some surfing and NO redirect..:eek:
Windows update now runs and works, start up does not hang..
Looks Good to me.
Do I need to do anything to my restore points??
if not we are good.

ken545
2011-01-07, 13:48
:bigthumb:

Yep, lets get rid of the old restore points

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.


Then remove all previous Restore Points

Click Start > Run > copy and paste the following into the run box:

cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.





Keep Java up to date
Download JavaRa (http://majorgeeks.com/JavaRA_d5982.html) to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.




Open OTL and click on Cleanup and it will remove most of the tools we used to clean your system.




How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)


Safe Surfn
Ken

ARCHellraiser
2011-01-08, 03:50
Evening,

Been A while since start up was this fast..you really don't know you have slowed down.

Did as instructed and updated Java.

:thanks: for all your help again... :bow:

HR

ken545
2011-01-08, 04:31
Your more than welcome,

Take care,

Ken :)

ARCHellraiser
2011-01-08, 04:43
:confused::confused: Hi again...
Well after I posted did some things and went to windows update.
It opened and downloaded the latest update ...
hit install and it went thru it's usual download,
then tried to install. but ALL failed.
disabled spy-ware and tried again "failed"

never had this happen before..can you Help !

HR

ken545
2011-01-08, 04:50
What you need to do is post here in the windows forum as we just do malware removal on this one. All us forums work together so you can link them to this thread so they can see what we have done.

http://forums.whatthetech.com/index.php?showforum=119

Post back and let me know if they fixed it

ARCHellraiser
2011-01-10, 04:42
Evening Ken,
Was a little more complicated than expected .. We found one of the services shut down but it still failed..they could not really help but
did point me in the right direction and after spending the day on the MS :coffee:support site i figured it out.
We are good to go, was lucky was an easy fix.
Thanks for your support over the years..

as always
HR

ken545
2011-01-10, 11:23
:bigthumb: Thanks for letting me know

Ken :)

ken545
2011-01-11, 11:27
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.