View Full Version : google results redirect
Starting this morning, google results take us to sites other than those displayed in the search results.
We sure would prefer not to have to start over with a clean drive (particularly if there's a chance of reinfecting when pulling data from the old drive).
Any help is appreciated!
DDS log follows:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Malia Becker at 23:18:46.39 on Mon 05/02/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.723 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Documents and Settings\Malia Becker\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ThinkPad\ConnectUtilities\qcwizard.exe
C:\Documents and Settings\Malia Becker\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.worldmag.com/index.cfm
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uWinlogon: Shell=c:\documents and settings\malia becker\application data\hotfix.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [QCWLICON] c:\progra~1\thinkpad\connec~1\QCWLIcon.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\maliab~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\malia becker\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} - hxxp://www.crsdata.net/CRSDataObject/CRSNInfo.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.crsdata.net/investor/maps/downloads/mgaxctrlv65.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://keymark.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\maliab~1\applic~1\mozilla\firefox\profiles\we1cutxq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.worldmag.com/index.cfm
FF - plugin: c:\documents and settings\malia becker\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\malia becker\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\malia becker\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-9-5 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-9-5 212568]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-6-25 16384]
R2 SBAMSvc;VIPRE Antivirus;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-8-20 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-9-5 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-8-20 181584]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 ICDUSB2;Sony IC Recorder (ST);c:\windows\system32\drivers\IcdUsb2.sys [2005-8-11 39048]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-6-25 12288]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-05-03 03:17:07 -------- d-----w- C:\scan
2011-04-15 11:21:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\SSScanAppDataDir
2011-04-15 01:37:52 -------- d-----w- c:\docume~1\maliab~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-20 18:17:55 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600BEVE-00UYT0 rev.01.04A01 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2EFECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x889ca879; SUB DWORD [EBP-0x4], 0x889ca135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A393AB8]
3 CLASSPNP[0xF7647FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000083[0x8A34B1B0]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A340940]
[0x8A394CF8] -> IRP_MJ_CREATE -> 0x8A2EFECC
kernel: MBR read successfully
_asm { CALL 0x115; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BEVE-00UYT0___________________01.04A01#5&2cae0b77&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A2EFAF1
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:21:57.30 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Your infected with a Rootkit
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
Thank you for the help! aswMBR log follows:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-09 07:58:32
-----------------------------
07:58:32.494 OS Version: Windows 5.1.2600 Service Pack 3
07:58:32.494 Number of processors: 1 586 0xD06
07:58:32.514 ComputerName: SRS1 UserName:
07:58:49.248 Initialize success
07:58:53.935 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
07:58:53.935 Disk 0 Vendor: WDC_WD1600BEVE-00UYT0 01.04A01 Size: 152627MB BusType: 3
07:58:53.975 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BEVE-00UYT0___________________01.04A01#5&2cae0b77&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
07:58:53.975 Device \Driver\atapi -> DriverStartIo 8a2efaf1
07:58:55.978 Disk 0 MBR read successfully
07:58:55.978 Disk 0 MBR scan
07:58:55.978 Disk 0 unknown MBR code
07:58:58.001 Disk 0 scanning sectors +312560640
07:58:58.031 Disk 0 scanning C:\WINDOWS\system32\drivers
07:59:32.030 File C:\WINDOWS\system32\drivers\ohci1394.sys TDL3 **ROOTKIT**
07:59:32.030 Disk 0 trace - called modules:
07:59:32.050 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a2efecc]<<
07:59:32.050 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a393ab8]
07:59:32.050 3 CLASSPNP.SYS[f7647fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a34b1b0]
07:59:32.370 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x8a340940]
07:59:32.370 [0x8a3585b8] -> IRP_MJ_CREATE -> 0x8a2efecc
07:59:32.370 Scan finished successfully
08:00:11.106 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Malia Becker\Desktop\MBR.dat"
08:00:11.106 The log file has been saved successfully to "C:\Documents and Settings\Malia Becker\Desktop\aswMBR.txt"
Lets run the fix, post the new log from aswMBR and then run DDS again and post a new log
Re-Run aswMBR
Click Scan
On completion of the scan
Click Fix
http://public.avast.com/~gmerek/aswMBR3.png
Save the log as before and post in your next reply
I reran aswMBR, clicked scan, and then clicked FixMBR (rather than Fix). FixMBR was enabled and Fix was greyed-out, so I didn't realize I had clicked the wrong thing until after it was done. Sure hope I didn't go and mess things up by failing to follow directions!
In any case, here is the contents of the aswMBR text file after executing FixMBR:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-09 18:03:50
-----------------------------
18:03:50.662 OS Version: Windows 5.1.2600 Service Pack 3
18:03:50.662 Number of processors: 1 586 0xD06
18:03:50.662 ComputerName: SRS1 UserName:
18:03:52.524 Initialize success
18:05:14.743 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
18:05:14.743 Disk 0 Vendor: WDC_WD1600BEVE-00UYT0 01.04A01 Size: 152627MB BusType: 3
18:05:14.743 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BEVE-00UYT0___________________01.04A01#5&2cae0b77&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
18:05:14.743 Device \Driver\atapi -> DriverStartIo 8a2efaf1
18:05:16.766 Disk 0 MBR read successfully
18:05:16.766 Disk 0 MBR scan
18:05:16.766 Disk 0 unknown MBR code
18:05:18.768 Disk 0 scanning sectors +312560640
18:05:18.859 Disk 0 scanning C:\WINDOWS\system32\drivers
18:05:26.489 File C:\WINDOWS\system32\drivers\ohci1394.sys TDL3 **ROOTKIT**
18:05:26.489 Disk 0 trace - called modules:
18:05:26.510 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a2efecc]<<
18:05:26.510 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a393ab8]
18:05:26.510 3 CLASSPNP.SYS[f7647fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a34b1b0]
18:05:26.840 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x8a340940]
18:05:26.840 [0x8a3585b8] -> IRP_MJ_CREATE -> 0x8a2efecc
18:05:26.840 Scan finished successfully
18:12:24.330 Disk 0 Windows 501 MBR fixed successfully
18:13:19.920 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Malia Becker\Desktop\MBR.dat"
18:13:19.920 The log file has been saved successfully to "C:\Documents and Settings\Malia Becker\Desktop\aswMBR-after-fix.txt"
And here is the new DDS log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Malia Becker at 18:14:57.75 on Mon 05/09/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.732 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Malia Becker\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.worldmag.com/index.cfm
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uWinlogon: Shell=c:\documents and settings\malia becker\application data\hotfix.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [S3TRAY2] S3Tray2.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [QCWLICON] c:\progra~1\thinkpad\connec~1\QCWLIcon.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\maliab~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\malia becker\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} - hxxp://www.crsdata.net/CRSDataObject/CRSNInfo.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.crsdata.net/investor/maps/downloads/mgaxctrlv65.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://keymark.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\maliab~1\applic~1\mozilla\firefox\profiles\we1cutxq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.worldmag.com/index.cfm
FF - plugin: c:\documents and settings\malia becker\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\malia becker\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\malia becker\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-9-5 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-9-5 212568]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2005-6-25 16384]
R2 SBAMSvc;VIPRE Antivirus;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-8-20 2763080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-9-5 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-8-20 181584]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 ICDUSB2;Sony IC Recorder (ST);c:\windows\system32\drivers\IcdUsb2.sys [2005-8-11 39048]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-6-25 12288]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-05-03 03:17:07 -------- d-----w- C:\scan
2011-04-15 11:21:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\SSScanAppDataDir
2011-04-15 01:37:52 -------- d-----w- c:\docume~1\maliab~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-20 18:17:55 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600BEVE-00UYT0 rev.01.04A01 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2EFECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x889ca879; SUB DWORD [EBP-0x4], 0x889ca135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A393AB8]
3 CLASSPNP[0xF7647FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000083[0x8A34B1B0]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A340940]
[0x8A3585B8] -> IRP_MJ_CREATE -> 0x8A2EFECC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BEVE-00UYT0___________________01.04A01#5&2cae0b77&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A2EFAF1
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:18:28.59 ===============
Still there, you need to run aswMBR again and make sure you click on FIX and not FIXMBR
Lets update it first, drag aswMBR to the trash and redownload it
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Deleted, redownloaded, and reran scan, but "Fix" button is still disabled.
Do I need to disable Vipre (antivirus) first?
Yes you should, lets try running this in Safemode
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
I don't know why, but the 'Fix' button is still disabled, even running in safe mode.
Good Morning,
Lets see if this will run
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
Here is the log for TDSKiller...
2011/05/10 07:12:53.0463 3804 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/10 07:12:53.0483 3804 ================================================================================
2011/05/10 07:12:53.0483 3804 SystemInfo:
2011/05/10 07:12:53.0483 3804
2011/05/10 07:12:53.0483 3804 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/10 07:12:53.0483 3804 Product type: Workstation
2011/05/10 07:12:53.0483 3804 ComputerName: SRS1
2011/05/10 07:12:53.0483 3804 UserName: Malia Becker
2011/05/10 07:12:53.0483 3804 Windows directory: C:\WINDOWS
2011/05/10 07:12:53.0483 3804 System windows directory: C:\WINDOWS
2011/05/10 07:12:53.0483 3804 Processor architecture: Intel x86
2011/05/10 07:12:53.0483 3804 Number of processors: 1
2011/05/10 07:12:53.0483 3804 Page size: 0x1000
2011/05/10 07:12:53.0483 3804 Boot type: Normal boot
2011/05/10 07:12:53.0483 3804 ================================================================================
2011/05/10 07:12:53.0723 3804 Initialize success
2011/05/10 07:13:01.0885 2400 ================================================================================
2011/05/10 07:13:01.0885 2400 Scan started
2011/05/10 07:13:01.0885 2400 Mode: Manual;
2011/05/10 07:13:01.0885 2400 ================================================================================
2011/05/10 07:13:02.0406 2400 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
2011/05/10 07:13:02.0466 2400 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/05/10 07:13:02.0526 2400 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/10 07:13:02.0566 2400 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/05/10 07:13:02.0606 2400 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
2011/05/10 07:13:02.0656 2400 aeaudio (75bee80a25fc7f690dcd57570dc159c1) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/05/10 07:13:02.0696 2400 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/10 07:13:02.0736 2400 AegisP (f498fd605c08404b20a48954c722ff74) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/05/10 07:13:02.0796 2400 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/10 07:13:02.0846 2400 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/10 07:13:02.0886 2400 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
2011/05/10 07:13:02.0936 2400 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
2011/05/10 07:13:02.0976 2400 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
2011/05/10 07:13:03.0016 2400 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
2011/05/10 07:13:03.0067 2400 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
2011/05/10 07:13:03.0107 2400 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
2011/05/10 07:13:03.0137 2400 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
2011/05/10 07:13:03.0177 2400 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
2011/05/10 07:13:03.0217 2400 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS
2011/05/10 07:13:03.0317 2400 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/10 07:13:03.0367 2400 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
2011/05/10 07:13:03.0437 2400 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
2011/05/10 07:13:03.0497 2400 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
2011/05/10 07:13:03.0567 2400 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/10 07:13:03.0637 2400 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/10 07:13:03.0727 2400 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/10 07:13:03.0778 2400 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/10 07:13:03.0828 2400 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/10 07:13:03.0898 2400 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/10 07:13:03.0948 2400 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
2011/05/10 07:13:03.0978 2400 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/10 07:13:04.0028 2400 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
2011/05/10 07:13:04.0078 2400 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/10 07:13:04.0138 2400 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/10 07:13:04.0178 2400 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/10 07:13:04.0268 2400 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/05/10 07:13:04.0298 2400 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
2011/05/10 07:13:04.0338 2400 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/05/10 07:13:04.0398 2400 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
2011/05/10 07:13:04.0439 2400 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
2011/05/10 07:13:04.0489 2400 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
2011/05/10 07:13:04.0519 2400 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/10 07:13:04.0599 2400 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/10 07:13:04.0679 2400 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/10 07:13:04.0729 2400 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/10 07:13:04.0779 2400 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/10 07:13:04.0829 2400 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
2011/05/10 07:13:04.0879 2400 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/10 07:13:04.0939 2400 drvmcdb (f41619ae216b51d68dda163805eefaa9) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/05/10 07:13:04.0969 2400 drvnddm (b295700e684ed1984db1d6be40354421) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/05/10 07:13:05.0029 2400 E1000 (8179a01475f75417011e27e322c7e0e3) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2011/05/10 07:13:05.0109 2400 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/10 07:13:05.0180 2400 EGATHDRV (7f220875288944c9c7856e2bc8613b1f) C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
2011/05/10 07:13:05.0250 2400 elagopro (7ec42ec12a4bac14bcca99fb06f2d125) C:\WINDOWS\system32\DRIVERS\elagopro.sys
2011/05/10 07:13:05.0280 2400 elaunidr (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\elaunidr.sys
2011/05/10 07:13:05.0340 2400 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/10 07:13:05.0400 2400 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/10 07:13:05.0440 2400 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/10 07:13:05.0480 2400 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/10 07:13:05.0540 2400 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/10 07:13:05.0590 2400 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/10 07:13:05.0610 2400 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/10 07:13:05.0660 2400 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/10 07:13:05.0730 2400 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/10 07:13:05.0770 2400 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/10 07:13:05.0820 2400 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
2011/05/10 07:13:05.0871 2400 HSFHWICH (62003dbef083dc07e5399f44fb4e22bc) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2011/05/10 07:13:05.0941 2400 HSF_DP (f41cd40b94d91edf9443a527053ec549) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/05/10 07:13:06.0041 2400 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/10 07:13:06.0081 2400 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/05/10 07:13:06.0131 2400 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
2011/05/10 07:13:06.0181 2400 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/10 07:13:06.0241 2400 IBMPMDRV (b9ad9ebe354af205277fdbfce5c5daec) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
2011/05/10 07:13:06.0291 2400 IBMTPCHK (73893e9a62d869a0409df9c12a0ebefe) C:\WINDOWS\system32\drivers\IBMBLDID.SYS
2011/05/10 07:13:06.0351 2400 ICDUSB2 (60b044a221cf76cc6077b0c3e9136cff) C:\WINDOWS\system32\Drivers\ICDUSB2.sys
2011/05/10 07:13:06.0381 2400 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/10 07:13:06.0441 2400 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
2011/05/10 07:13:06.0491 2400 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
2011/05/10 07:13:06.0542 2400 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/10 07:13:06.0582 2400 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/10 07:13:06.0642 2400 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/10 07:13:06.0692 2400 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/10 07:13:06.0742 2400 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/10 07:13:06.0782 2400 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/10 07:13:06.0832 2400 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/05/10 07:13:06.0862 2400 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/10 07:13:06.0912 2400 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/10 07:13:06.0952 2400 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/10 07:13:06.0982 2400 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/10 07:13:07.0022 2400 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/10 07:13:07.0062 2400 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/10 07:13:07.0192 2400 ltmodem5 (9ee18a5a45552673a67532ea37370377) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
2011/05/10 07:13:07.0253 2400 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/05/10 07:13:07.0283 2400 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/10 07:13:07.0313 2400 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/10 07:13:07.0353 2400 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/10 07:13:07.0423 2400 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/10 07:13:07.0463 2400 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/10 07:13:07.0503 2400 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
2011/05/10 07:13:07.0543 2400 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/10 07:13:07.0613 2400 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/10 07:13:07.0653 2400 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/10 07:13:07.0713 2400 MSIRCOMM (95c6432151ccff8617352f8e616a1aa4) C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
2011/05/10 07:13:07.0763 2400 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/10 07:13:07.0803 2400 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/10 07:13:07.0853 2400 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/10 07:13:07.0924 2400 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/10 07:13:07.0954 2400 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/10 07:13:08.0014 2400 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/10 07:13:08.0054 2400 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/10 07:13:08.0114 2400 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/10 07:13:08.0144 2400 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/10 07:13:08.0194 2400 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/10 07:13:08.0214 2400 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/10 07:13:08.0284 2400 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/10 07:13:08.0344 2400 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/10 07:13:08.0384 2400 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/10 07:13:08.0444 2400 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
2011/05/10 07:13:08.0494 2400 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/10 07:13:08.0594 2400 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/10 07:13:08.0695 2400 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/10 07:13:08.0735 2400 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/10 07:13:08.0795 2400 ohci1394 (5670048f2ef694eb0bebb6d4427f8a19) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/10 07:13:08.0795 2400 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ohci1394.sys. Real md5: 5670048f2ef694eb0bebb6d4427f8a19, Fake md5: ca33832df41afb202ee7aeb05145922f
2011/05/10 07:13:08.0805 2400 ohci1394 - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/05/10 07:13:08.0855 2400 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/05/10 07:13:08.0885 2400 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/10 07:13:08.0915 2400 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/10 07:13:08.0955 2400 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/10 07:13:08.0985 2400 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/10 07:13:09.0055 2400 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/10 07:13:09.0085 2400 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/05/10 07:13:09.0225 2400 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
2011/05/10 07:13:09.0265 2400 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
2011/05/10 07:13:09.0336 2400 PMEM (fa292805788528c083f416e151b60ab6) C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS
2011/05/10 07:13:09.0376 2400 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/10 07:13:09.0406 2400 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/10 07:13:09.0436 2400 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/10 07:13:09.0466 2400 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/10 07:13:09.0546 2400 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/10 07:13:09.0586 2400 QCNDISIF (8127cd3d08a48793d2c155fb4d9af8ef) C:\WINDOWS\system32\drivers\qcndisif.SYS
2011/05/10 07:13:09.0646 2400 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
2011/05/10 07:13:09.0686 2400 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
2011/05/10 07:13:09.0726 2400 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
2011/05/10 07:13:09.0766 2400 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
2011/05/10 07:13:09.0806 2400 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
2011/05/10 07:13:09.0856 2400 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/10 07:13:09.0906 2400 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/05/10 07:13:09.0946 2400 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/10 07:13:09.0986 2400 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/10 07:13:10.0007 2400 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/10 07:13:10.0057 2400 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/10 07:13:10.0107 2400 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/10 07:13:10.0157 2400 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/10 07:13:10.0207 2400 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/10 07:13:10.0257 2400 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/10 07:13:10.0337 2400 s24trans (85a26a3bb748dfd3170cdbf45b0dd7fd) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/05/10 07:13:10.0377 2400 S3SSavage (a94aa8161dd4711bc6f732f21d6407d6) C:\WINDOWS\system32\DRIVERS\s3ssavm.sys
2011/05/10 07:13:10.0447 2400 sbaphd (8fe075898df6b206d0a5cf0feb581b5e) C:\WINDOWS\system32\drivers\sbaphd.sys
2011/05/10 07:13:10.0507 2400 sbapifs (29658f5353d5b73ca514a784e6aac54e) C:\WINDOWS\system32\drivers\sbapifs.sys
2011/05/10 07:13:10.0597 2400 SBRE (c1ae5d1f53285d79a0b73a62af20734f) C:\WINDOWS\system32\drivers\SBREdrv.sys
2011/05/10 07:13:10.0647 2400 SbTis (eb6ae9f7fc9e42d993eb30b2f382bf46) C:\WINDOWS\system32\drivers\sbtis.sys
2011/05/10 07:13:10.0718 2400 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/10 07:13:10.0798 2400 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/10 07:13:10.0858 2400 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/10 07:13:10.0918 2400 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/05/10 07:13:10.0978 2400 ShockMgr (482ddb9f0f6d88f0503910e1b9728042) C:\WINDOWS\system32\drivers\ShockMgr.sys
2011/05/10 07:13:11.0008 2400 Shockprf (3d593b089133f134f52d6de29b0d058b) C:\WINDOWS\system32\drivers\Shockprf.sys
2011/05/10 07:13:11.0068 2400 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
2011/05/10 07:13:11.0098 2400 Smapint (26341d0dd225d19fd50e0ee3c3c77502) C:\WINDOWS\system32\drivers\Smapint.sys
2011/05/10 07:13:11.0168 2400 smwdm (710a9684bf50e6fe7c227b9de41159da) C:\WINDOWS\system32\drivers\smwdm.sys
2011/05/10 07:13:11.0218 2400 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
2011/05/10 07:13:11.0268 2400 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/10 07:13:11.0318 2400 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/10 07:13:11.0368 2400 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/10 07:13:11.0409 2400 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/05/10 07:13:11.0459 2400 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/05/10 07:13:11.0499 2400 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/10 07:13:11.0549 2400 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/10 07:13:11.0599 2400 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
2011/05/10 07:13:11.0639 2400 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
2011/05/10 07:13:11.0689 2400 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
2011/05/10 07:13:11.0729 2400 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
2011/05/10 07:13:11.0779 2400 SynTP (9f21fcb5a5bbc7d730018f6b61f638cb) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/05/10 07:13:11.0819 2400 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/10 07:13:11.0909 2400 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/10 07:13:11.0979 2400 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/10 07:13:11.0999 2400 TDSMAPI (139b4d397d51cf60d6585597b1cf2f51) C:\WINDOWS\system32\drivers\TDSMAPI.SYS
2011/05/10 07:13:12.0049 2400 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/10 07:13:12.0100 2400 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/10 07:13:12.0170 2400 tfsnboio (1797f3375b4bf20e81d69ac8b11445b5) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/05/10 07:13:12.0190 2400 tfsncofs (019ba601cb71a71143aed94f2db26250) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/05/10 07:13:12.0220 2400 tfsndrct (87269d7fa6df7ef84b83bf5b0d2e031c) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/05/10 07:13:12.0250 2400 tfsndres (c435768c370f35a5abf22bd6ca272014) C:\WINDOWS\system32\dla\tfsndres.sys
2011/05/10 07:13:12.0290 2400 tfsnifs (2a144ec7557efb9758d1c121688ebaf5) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/05/10 07:13:12.0310 2400 tfsnopio (1aa2c61a846efbc200703e8dc250297f) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/05/10 07:13:12.0340 2400 tfsnpool (b3b0b6616cae23ab1a4a5898ca6d5552) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/05/10 07:13:12.0360 2400 tfsnudf (1614a1e396f296138d3fb1728f385e0b) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/05/10 07:13:12.0390 2400 tfsnudfa (e5d5b8dde8c221fedc88680631294155) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/05/10 07:13:12.0470 2400 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
2011/05/10 07:13:12.0490 2400 TPHKDRV (63421f480e7cd375329ace8588fed1ac) C:\WINDOWS\system32\drivers\TPHKDRV.sys
2011/05/10 07:13:12.0520 2400 TPPWR (dc5c49a5f38d377f7c9a99a5b0c4d1a0) C:\WINDOWS\system32\drivers\Tppwr.sys
2011/05/10 07:13:12.0560 2400 TSMAPIP (f2aba3066d7921d7fcdbd66dea88be11) C:\WINDOWS\system32\drivers\TSMAPIP.SYS
2011/05/10 07:13:12.0660 2400 TwoTrack (17687545f77a648af7f9f1064eb61191) C:\WINDOWS\system32\DRIVERS\TwoTrack.sys
2011/05/10 07:13:12.0770 2400 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/10 07:13:12.0811 2400 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
2011/05/10 07:13:12.0891 2400 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/10 07:13:12.0971 2400 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/10 07:13:13.0031 2400 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/10 07:13:13.0081 2400 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/10 07:13:13.0101 2400 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/10 07:13:13.0151 2400 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/10 07:13:13.0181 2400 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/10 07:13:13.0221 2400 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/10 07:13:13.0271 2400 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/10 07:13:13.0311 2400 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/10 07:13:13.0341 2400 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/10 07:13:13.0401 2400 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
2011/05/10 07:13:13.0482 2400 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
2011/05/10 07:13:13.0562 2400 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/10 07:13:13.0752 2400 w29n51 (39ac581f5b57e3074e3e5cdab9e7dff1) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2011/05/10 07:13:13.0932 2400 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/10 07:13:13.0992 2400 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
2011/05/10 07:13:14.0062 2400 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/10 07:13:14.0152 2400 winachsf (542a5f528a6cfebb4487b09538596d78) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/05/10 07:13:14.0293 2400 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/05/10 07:13:14.0393 2400 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/10 07:13:14.0443 2400 WUDFRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\WUDFRd.sys
2011/05/10 07:13:14.0783 2400 ================================================================================
2011/05/10 07:13:14.0783 2400 Scan finished
2011/05/10 07:13:14.0783 2400 ================================================================================
2011/05/10 07:13:14.0793 0588 Detected object count: 1
2011/05/10 07:14:19.0466 0588 ohci1394 (5670048f2ef694eb0bebb6d4427f8a19) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/10 07:14:19.0466 0588 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ohci1394.sys. Real md5: 5670048f2ef694eb0bebb6d4427f8a19, Fake md5: ca33832df41afb202ee7aeb05145922f
2011/05/10 07:14:21.0399 0588 Backup copy found, using it..
2011/05/10 07:14:21.0409 0588 C:\WINDOWS\system32\DRIVERS\ohci1394.sys - will be cured after reboot
2011/05/10 07:14:21.0409 0588 Rootkit.Win32.TDSS.tdl3(ohci1394) - User select action: Cure
2011/05/10 07:14:27.0548 1868 Deinitialize success
Good,
Make sure you rebooted for it to take effect
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
mbam completed, followed by reboot. Log follows (and OTL to be run next):
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6545
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
5/10/2011 9:27:27 AM
mbam-log-2011-05-10 (09-27-27).txt
Scan type: Quick scan
Objects scanned: 189095
Time elapsed: 23 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Value: Shell -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\malia becker\local settings\Temp\13E.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\malia becker\local settings\Temp\143.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\malia becker\local settings\Temp\mmelr7hk.exe.part (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\documents and settings\malia becker\local settings\Temp\jar_cache6802613586035544728.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\malia becker\local settings\Temp\d+91gm3y.exe.part (Adware.FunWeb) -> Quarantined and deleted successfully.
OTL.txt results...
OTL logfile created on: 5/10/2011 10:04:10 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Malia Becker\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.03 Gb Total Space | 75.81 Gb Free Space | 50.87% Space Free | Partition Type: NTFS
Computer Name: SRS1 | User Name: Malia Becker | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Malia Becker\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Malia Becker\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe (Sunbelt Software)
PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
PRC - C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe (EMC Dantz)
PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE (IBM Corp.)
PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
PRC - C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)
PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
PRC - C:\Program Files\Intel\Wireless\Bin\1XConfig.exe (Intel)
PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe ()
PRC - C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
PRC - C:\WINDOWS\system32\TpKmpSvc.exe ()
PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe (IBM Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Malia Becker\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)
========== Win32 Services (SafeList) ==========
SRV - (SBAMSvc) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (Sunbelt Software)
SRV - (SBPIMSvc) -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe (Sunbelt Software)
SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (AdobeActiveFileMonitor5.0) -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe ()
SRV - (Retrospect Helper) -- C:\Program Files\Dantz\Retrospect 7.0\rthlpsvc.exe (EMC Dantz)
SRV - (RetroLauncher) -- C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe (EMC Dantz)
SRV - (QCONSVC) -- C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)
SRV - (TpKmpSVC) -- C:\WINDOWS\system32\TpKmpSvc.exe ()
SRV - (ICDSPTSV) -- C:\WINDOWS\system32\IcdSptSv.exe (Sony Corporation)
========== Driver Services (SafeList) ==========
DRV - (SbTis) -- C:\WINDOWS\system32\drivers\sbtis.sys (Sunbelt Software, Inc.)
DRV - (sbapifs) -- C:\WINDOWS\system32\drivers\sbapifs.sys (Sunbelt Software)
DRV - (sbaphd) -- C:\WINDOWS\system32\drivers\sbaphd.sys (Sunbelt Software)
DRV - (SBRE) -- C:\WINDOWS\system32\drivers\SBREDrv.sys (Sunbelt Software)
DRV - (WDC_SAM) -- C:\WINDOWS\system32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - (elagopro) -- C:\WINDOWS\system32\drivers\elagopro.sys (Gteko Ltd.)
DRV - (elaunidr) -- C:\WINDOWS\system32\drivers\elaunidr.sys (Gteko Ltd.)
DRV - (QCNDISIF) -- C:\WINDOWS\system32\drivers\qcndisif.sys (IBM Corporation.)
DRV - (ANC) -- C:\WINDOWS\system32\drivers\ANC.sys (IBM Corp.)
DRV - (IBMTPCHK) -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS ()
DRV - (w29n51) Intel(R) -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (LT)
DRV - (TPPWR) -- C:\WINDOWS\system32\drivers\TPPWR.SYS (IBM Corp.)
DRV - (Smapint) -- C:\WINDOWS\system32\drivers\SMAPINT.SYS (Microsoft Corporation)
DRV - (TDSMAPI) -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS ()
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (TSMAPIP) -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS ()
DRV - (ICDUSB2) Sony IC Recorder (ST) -- C:\WINDOWS\system32\drivers\IcdUsb2.sys (Sony Corporation)
DRV - (S3SSavage) -- C:\WINDOWS\system32\drivers\s3ssavm.sys (S3 Graphics, Inc.)
DRV - (TwoTrack) -- C:\WINDOWS\system32\drivers\TwoTrack.sys (IBM Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.worldmag.com/index.cfm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.startup.homepage: "http://www.worldmag.com/index.cfm"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/14 21:13:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/10 18:44:37 | 000,000,000 | ---D | M]
[2009/08/18 20:24:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Malia Becker\Application Data\Mozilla\Extensions
[2011/05/10 08:39:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Malia Becker\Application Data\Mozilla\Firefox\Profiles\we1cutxq.default\extensions
[2010/07/12 07:23:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Malia Becker\Application Data\Mozilla\Firefox\Profiles\we1cutxq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/10/29 20:12:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Malia Becker\Application Data\Mozilla\Firefox\Profiles\we1cutxq.default\extensions\browserhighlighter@ebay.com
[2011/05/10 08:39:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/21 22:04:27 | 000,000,000 | ---D | M] (Move Media Player) -- C:\DOCUMENTS AND SETTINGS\MALIA BECKER\APPLICATION DATA\MOVE NETWORKS
[2008/12/08 14:45:47 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/09/20 18:48:45 | 000,442,368 | ---- | M] (Invenda Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol308.dll
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
O1 HOSTS File: ([2001/08/18 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [BMMGAG] C:\Program Files\ThinkPad\Utilities\PWRMONIT.DLL (IBM Corp.)
O4 - HKLM..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE ()
O4 - HKLM..\Run: [BMMMONWND] C:\Program Files\ThinkPad\Utilities\BATINFEX.DLL ()
O4 - HKLM..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe ()
O4 - HKLM..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE (IBM Corp.)
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
O4 - HKLM..\Run: [S3TRAY2] C:\WINDOWS\System32\S3Tray2.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (IBM Corporation)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
O4 - HKLM..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe ()
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKCU..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)
O4 - Startup: C:\Documents and Settings\Malia Becker\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Malia Becker\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} http://www.crsdata.net/CRSDataObject/CRSNInfo.cab (CRS Inc. Data Object)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} http://www.crsdata.net/investor/maps/downloads/mgaxctrlv65.cab (Autodesk MapGuide ActiveX Control)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} http://offers.e-centives.com/cif/download/bin/actxcab.cab (CBSTIEPrint Class)
O16 - DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} http://www.tellmemore-online.com/bin/tol7inst.cab (InstallerCtrl Class)
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://keymark.webex.com/client/v_mywebex-t20/support/ieatgpc.cab (GpcContainer Class)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O20 - Winlogon\Notify\QConGina: DllName - QConGina.dll - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Malia Becker\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Malia Becker\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/07/02 00:17:55 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{99e3d934-469c-11dc-9a50-0012f09225af}\Shell\AutoRun\command - "" = E:\wd_windows_tools\setup.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/05/10 09:58:52 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Malia Becker\Desktop\OTL.exe
[2011/05/10 09:01:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Malia Becker\Application Data\Malwarebytes
[2011/05/10 09:01:46 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/10 09:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/05/10 09:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/10 09:01:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/10 09:01:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/10 09:01:11 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Malia Becker\Desktop\mbam-setup.exe
[2011/05/10 07:12:30 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Malia Becker\Desktop\TDSSKiller.exe
[2011/05/09 07:58:17 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Malia Becker\Desktop\aswMBR.exe
[2011/05/02 23:17:07 | 000,000,000 | ---D | C] -- C:\scan
[2011/05/02 23:12:01 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/05/02 23:12:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/15 07:21:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2011/04/14 21:37:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Malia Becker\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[4 C:\Documents and Settings\Malia Becker\My Documents\*.tmp files -> C:\Documents and Settings\Malia Becker\My Documents\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/05/10 09:58:56 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Malia Becker\Desktop\OTL.exe
[2011/05/10 09:50:13 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/10 09:31:51 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/10 09:31:46 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/10 09:30:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/10 09:29:54 | 1341,116,416 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/10 09:01:46 | 000,000,787 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/10 08:54:16 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Malia Becker\Desktop\mbam-setup.exe
[2011/05/10 07:20:23 | 000,445,082 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/10 07:20:23 | 000,072,792 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/09 20:54:42 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/05/09 20:00:00 | 000,000,636 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Malia Becker.job
[2011/05/09 19:18:23 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Malia Becker\Desktop\aswMBR.exe
[2011/05/09 18:13:19 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\MBR.dat
[2011/05/09 08:35:41 | 000,001,030 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Start Menu\Programs\Startup\Dropbox.lnk
[2011/05/09 08:35:41 | 000,001,030 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Dropbox.lnk
[2011/05/09 08:20:09 | 000,000,911 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\cfg
[2011/05/02 23:12:02 | 000,000,595 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\ERUNT.lnk
[2011/05/02 16:02:26 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\dds.com
[2011/05/01 14:21:34 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Malia Becker\Desktop\TDSSKiller.exe
[2011/04/30 15:30:20 | 000,020,921 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Lowes Proof of Purchase Claim Form FINAL.pdf
[2011/04/28 22:39:24 | 000,857,179 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Jack's sample #3.jpg
[2011/04/28 12:52:41 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/04/16 07:20:28 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/04/16 07:15:27 | 000,175,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/16 00:03:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/15 07:24:50 | 000,945,817 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Writing sample.jpg
[2011/04/15 07:23:58 | 000,071,352 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Writing sample.tif
[4 C:\Documents and Settings\Malia Becker\My Documents\*.tmp files -> C:\Documents and Settings\Malia Becker\My Documents\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/05/10 09:01:46 | 000,000,787 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/10 07:07:17 | 1341,116,416 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/09 20:54:42 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/05/09 08:20:09 | 000,000,911 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\cfg
[2011/05/09 08:00:11 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\MBR.dat
[2011/05/02 23:18:40 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\dds.com
[2011/05/02 23:12:02 | 000,000,595 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\ERUNT.lnk
[2011/04/30 15:30:18 | 000,020,921 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\Lowes Proof of Purchase Claim Form FINAL.pdf
[2011/04/28 22:39:24 | 000,857,179 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\Jack's sample #3.jpg
[2011/04/15 07:24:50 | 000,945,817 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\Writing sample.jpg
[2011/04/15 07:23:58 | 000,071,352 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\Writing sample.tif
[2011/01/03 14:01:23 | 000,032,360 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/12/05 01:16:51 | 000,106,200 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/10/04 20:25:45 | 000,000,104 | ---- | C] () -- C:\WINDOWS\Library.ini
[2009/08/28 20:30:33 | 000,000,281 | ---- | C] () -- C:\WINDOWS\Kofax200.ini
[2009/08/20 13:35:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/08/18 20:24:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/07/16 21:10:07 | 000,000,048 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2006/11/03 19:19:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2006/08/31 11:34:24 | 000,051,392 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2006/01/04 21:24:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2005/08/15 17:13:07 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS69.DLL
[2005/08/11 19:07:37 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll
[2005/08/11 19:07:36 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\dsp_trc.dll
[2005/07/13 11:55:14 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Local Settings\Application Data\fusioncache.dat
[2005/07/13 11:27:55 | 000,000,367 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP12.INI
[2005/07/04 08:00:20 | 000,043,008 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/02 00:35:03 | 000,053,248 | R--- | C] () -- C:\WINDOWS\UpdtNv28.exe
[2005/06/26 01:17:33 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/25 12:12:21 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/06/25 12:11:07 | 000,184,320 | ---- | C] () -- C:\WINDOWS\TPBATHLP.EXE
[2005/06/25 12:09:36 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2005/06/25 12:09:02 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2005/06/25 12:09:02 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2005/06/25 12:08:21 | 000,002,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.SYS
[2005/06/25 11:52:01 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/06/25 11:52:01 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/06/25 11:52:01 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/06/25 11:52:01 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/06/25 11:52:01 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/06/25 11:52:01 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/06/25 11:50:28 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/06/25 11:49:59 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pxhpinst.exe
[2005/06/25 11:41:34 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2005/06/25 11:40:44 | 000,009,341 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2005/06/25 11:37:08 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\TpKmpSvc.exe
[2005/06/25 11:36:54 | 000,114,688 | ---- | C] () -- C:\WINDOWS\_tpiu000.exe
[2005/06/25 10:12:50 | 000,002,481 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/11/08 20:12:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/02 17:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/03/19 15:12:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\pwdmon.dll
[2004/01/09 09:10:32 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\AIBMRUNL.dll
[2003/02/20 12:32:29 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/02/20 12:18:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/02/20 12:09:47 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/02/20 12:03:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/02/20 12:02:39 | 000,175,464 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/14 12:00:26 | 000,038,567 | ---- | C] () -- C:\WINDOWS\System32\pcpbios.exe
[2002/01/09 21:38:20 | 000,106,496 | ---- | C] () -- C:\WINDOWS\desktopset.exe
[2001/08/23 10:26:08 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2001/08/23 10:24:30 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[1998/08/16 05:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[1980/01/01 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[1980/01/01 03:00:00 | 000,445,082 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[1980/01/01 03:00:00 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[1980/01/01 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[1980/01/01 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[1980/01/01 03:00:00 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[1980/01/01 03:00:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[1980/01/01 03:00:00 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[1980/01/01 03:00:00 | 000,072,792 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[1980/01/01 03:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ibmpmsvc.exe
[1980/01/01 03:00:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[1980/01/01 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[1980/01/01 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[1980/01/01 03:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[1980/01/01 03:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[1980/01/01 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
========== LOP Check ==========
[2006/11/03 19:20:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
[2006/12/27 22:48:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2005/06/25 11:50:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IBM
[2010/07/27 14:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Individual Software
[2009/08/28 20:24:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kofax
[2006/07/25 23:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2009/07/31 08:22:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2011/05/01 14:45:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Retrospect
[2011/01/12 13:41:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2009/05/02 17:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RTS 8.0
[2011/04/15 07:22:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2009/08/08 15:54:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/07/05 15:30:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/12/11 12:04:27 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Malia Becker\Application Data\.#
[2011/04/28 22:35:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Malia Becker\Application Data\Canon
[2011/04/14 21:37:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Malia Becker\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/05/10 09:57:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Malia Becker\Application Data\Dropbox
[2005/07/02 00:54:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Malia Becker\Application Data\IBM
[2005/07/02 14:22:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Malia Becker\Application Data\InterVideo
[2009/08/28 20:25:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Malia Becker\Application Data\Kofax
[2005/07/31 20:44:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Malia Becker\Application Data\Leadertech
[2007/03/04 10:05:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Malia Becker\Application Data\Opera
[2005/11/05 19:17:30 | 000,000,362 | ---- | M] () -- C:\WINDOWS\Tasks\BMMTask.job
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
Extras.txt ...
OTL Extras logfile created on: 5/10/2011 10:04:11 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Malia Becker\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.03 Gb Total Space | 75.81 Gb Free Space | 50.87% Space Free | Partition Type: NTFS
Computer Name: SRS1 | User Name: Malia Becker | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"" =
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"" =
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"" =
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector -- (IBM)
"C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector -- (IBM)
"C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector -- (IBM Corporation, Inc.)
"C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\win\RosettaStoneLtdServices.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services -- ()
"C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 Application -- ()
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector -- (IBM)
"C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector -- (IBM)
"C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector -- (IBM Corporation, Inc.)
"C:\Program Files\Dantz\Retrospect 7.0\Retrospect.exe" = C:\Program Files\Dantz\Retrospect 7.0\Retrospect.exe:*:Enabled:Retrospect -- (EMC Dantz)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\win\RosettaStoneLtdServices.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services -- ()
"C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 Application -- ()
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Documents and Settings\Malia Becker\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Malia Becker\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{01B93B3A-283F-411B-A648-69CABCACC986}" = Canon MF Drivers
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = IBM ThinkVantage Technologies Welcome Message
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = IBM DLA
"{132CA5D9-C745-4B0B-A3B2-8C7A6EC3EE7E}" = Canon MF Toolbox 4.7.0.0.mf04
"{14374622-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Pro 2005
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = IBM ThinkPad Keyboard Customizer Utility
"{22B71A00-4DED-11D4-A5E5-0004AC564F43}" = IBM Access Connections
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 15
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3C9AE630-EAA2-012B-AEB0-000000000000}" = TurboTax 2009 wsciper
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{46571E47-6457-4D68-A075-01BA1E62EC3F}" = TurboTax 2008 wsciper
"{5C381EC0-381F-4EB3-A2F5-CAC34CB4F5AD}" = UFO
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6C72E14A-C1F3-45E5-8810-83CE3C19ED63}" = IBM 32-bit Runtime Environment for Java 2, v1.4.1
"{6CE96A14-61E2-48CC-837E-22710A953ADE}" = IBM Themes
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{7210BCFE-ED8D-4261-8537-81B5A4BDFA2A}" = Rosetta Stone V3
"{72806716-7088-41B2-8FA6-717A2A164DAB}" = IBM Active Protection System
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = IBM ThinkPad UltraNav Wizard
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8D815BF3-2399-459C-B121-49373FEFB9E8}" = IBM Update Connector
"{8E55813F-2FA3-47E8-9AF9-31DC0B4AE3ED}" = Mindjet MindManager Viewer 7
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = IBM RecordNow!
"{9752968A-B43F-4815-9F89-27033750CB3E}" = Kofax Desktop
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A1960A82-DB70-474D-A86B-FA74466103C6}" = Drivers Install For Linksys Easylink Advisor
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AFF8387B-A958-48F8-9E1C-2E9485A1985A}" = Retrospect 7.0
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{BE47D611-051B-427F-8DFD-121EC62C92F3}" = Kofax Desktop
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EA5AC97C-AE15-44F2-9221-1DEC46DEE8F1}" = Buzan's iMindMap V4.1
"{EA664480-3844-11D5-8C25-444553540000}" = IBM TrackPoint Accessibility Features
"{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}" = Access IBM
"{ECD94AA1-D865-4EF4-8F7C-5AA68D37ABE9}" = Autodesk MapGuide(R) Viewer ActiveX Control Release 6.3
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F358C0E1-B8DD-43A4-8B2E-269710247F16}" = Typing Instructor Platinum
"{F386C340-DF4B-4BBA-9503-420FB7EDB395}" = Wallpapers
"{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}" = Access IBM Message Center
"{F9D06C1D-EEB6-443A-B5BE-63CE1A5C1290}" = VIPRE Antivirus
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AudibleDownloadManager" = Audible Download Manager
"CDex" = CDex extraction audio
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = IBM Integrated 56K Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"EasyEject Utility" = IBM ThinkPad EasyEject Utility
"EasyLinkAdvisor" = Linksys EasyLink Advisor 1.6 (0045)
"ERUNT_is1" = ERUNT 1.1j
"GoalTime" = GoalTime
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"InstallShield_{6C72E14A-C1F3-45E5-8810-83CE3C19ED63}" = IBM 32-bit Runtime Environment for Java 2, v1.4.1
"InterActual Player" = InterActual Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mavis Beacon Teaches Typing Deluxe 17" = Mavis Beacon Teaches Typing Deluxe 17
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.2)" = Mozilla Firefox (3.6.2)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Power Features" = IBM ThinkPad Battery MaxiMiser and Power Management Features
"Power Management Driver" = IBM ThinkPad Power Management Driver
"Presentation Director" = IBM ThinkPad Presentation Director
"ProInst" = Intel(R) PROSet/Wireless Software
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"Quarter Mile Math Sampler" = Quarter Mile Math Sampler
"Quicken WillMaker Plus 2008" = Quicken WillMaker Plus 2008
"RealPlayer 12.0" = RealPlayer
"RegEditX" = RegEditX
"Sony Digital Voice Editor 2" = Sony Digital Voice Editor 2
"SynTPDeinstKey" = IBM ThinkPad UltraNav Driver
"The Right Track (R) Software" = The Right Track (R) Software
"The Rosetta Stone" = The Rosetta Stone
"ThinkPad Configuration" = IBM ThinkPad Configuration
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"ThinkPadSoftwareInstaller" = ThinkPad Software Installer
"TurboTax 2008" = TurboTax 2008
"TurboTax 2009" = TurboTax 2009
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Move Media Player" = Move Media Player
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 5/1/2011 11:31:20 PM | Computer Name = SRS1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.8328.0, stamp 4c717ed1,
faulting module adxloader.dll, version 4.3.1910.0, stamp 4896d5ec, debug? 0, fault
address 0x00013ded.
Error - 5/2/2011 11:54:10 PM | Computer Name = SRS1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module icucnv36.dll, version 3.6.0.0, fault address 0x000013df.
Error - 5/3/2011 11:07:35 PM | Computer Name = SRS1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.8328.0, stamp 4c717ed1,
faulting module adxloader.dll, version 4.3.1910.0, stamp 4896d5ec, debug? 0, fault
address 0x00013ded.
Error - 5/4/2011 11:18:40 PM | Computer Name = SRS1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.8328.0, stamp 4c717ed1,
faulting module adxloader.dll, version 4.3.1910.0, stamp 4896d5ec, debug? 0, fault
address 0x00013ded.
Error - 5/4/2011 11:19:14 PM | Computer Name = SRS1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.8328.0, stamp 4c717ed1,
faulting module adxloader.dll, version 4.3.1910.0, stamp 4896d5ec, debug? 0, fault
address 0x00013ded.
Error - 5/7/2011 11:39:26 PM | Computer Name = SRS1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.8328.0, stamp 4c717ed1,
faulting module adxloader.dll, version 4.3.1910.0, stamp 4896d5ec, debug? 0, fault
address 0x00013ded.
Error - 5/7/2011 11:40:01 PM | Computer Name = SRS1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.8328.0, stamp 4c717ed1,
faulting module adxloader.dll, version 4.3.1910.0, stamp 4896d5ec, debug? 0, fault
address 0x00013ded.
Error - 5/9/2011 8:34:09 AM | Computer Name = SRS1 | Source = ESENT | ID = 490
Description = svchost (1324) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).
Error - 5/9/2011 9:51:03 AM | Computer Name = SRS1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.8328.0, stamp 4c717ed1,
faulting module adxloader.dll, version 4.3.1910.0, stamp 4896d5ec, debug? 0, fault
address 0x00013ded.
Error - 5/9/2011 6:03:41 PM | Computer Name = SRS1 | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application winword.exe, version 11.0.8328.0, stamp 4c717ed1,
faulting module adxloader.dll, version 4.3.1910.0, stamp 4896d5ec, debug? 0, fault
address 0x00013ded.
========== Last 10 Event Log Errors ==========
Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
< End of report >
Go to Start > Run and type in services.msc > Enter, scroll down to Event Log , you can right click on it and go to Properties and make sure its set to Automatic
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
ESET scanner log...
C:\Documents and Settings\Malia Becker\Application Data\Sun\Java\Deployment\cache\6.0\17\2262ced1-722fe31c multiple threats
C:\Documents and Settings\Malia Becker\Application Data\Sun\Java\Deployment\cache\6.0\22\7e479456-73f57139 a variant of Java/Agent.AP trojan
C:\Documents and Settings\Malia Becker\Application Data\Sun\Java\Deployment\cache\6.0\4\40e4d184-42f50687 multiple threats
C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\YLKJYTE5\popup[1].htm HTML/TrojanClicker.Agent.A trojan
C:\Documents and Settings\Malia Becker\Local Settings\Temporary Internet Files\Content.IE5\4HMFKTAV\forum[1].htm JS/Kryptik.AI trojan
C:\Documents and Settings\Malia Becker\Local Settings\Temporary Internet Files\Content.IE5\SNUZ0HOZ\75aa5[1].pdf JS/Exploit.Pdfka.OWF.Gen trojan
Question: Is it ok to uninstall ESET, or do you expect to run it again?
Good Morning,
Yes you can uninstall ESET, what it found where in your Java Cache and your Temporary Internet Files.
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:OTL
:Services
:Reg
:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
OTL fix results...
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
C:\Documents and Settings\Malia Becker\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Malia Becker\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
C:\Documents and Settings\Malia Becker\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Malia Becker\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Malia Becker\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Malia Becker\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 13600634 bytes
User: Malia Becker
->Temp folder emptied: 3254140927 bytes
->Temporary Internet Files folder emptied: 187561754 bytes
->Java cache emptied: 47186434 bytes
->FireFox cache emptied: 111104120 bytes
->Flash cache emptied: 1569107 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 498655265 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 103651744 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 19828551 bytes
RecycleBin emptied: 1362504555 bytes
Total Files Cleaned = 5,341.00 mb
OTL by OldTimer - Version 3.2.22.3 log created on 05112011_063929
Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZQK3RPKL\home_;site=nbc;sect=home;sub=;genre=;daypart=;!category=home;!category=js;!category=nbc;network=tvn;sz=728x90;tagtype=js;dcopt=ist;uri=;pos=1;tile=1;ord=100457611671[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZQK3RPKL\home_comcastweblogo;site=nbc;sect=home;sub=comcastweblogo;genre=reality;daypart=primetime;!category=home;!category=js;!category=nbc;network=tvn;sz=1x1;tagtype=js;uri=;po[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZQK3RPKL\rcru_games;site=nbc;sect=rcru;sub=games;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=300x250;tagtype=js;uri=;pos=7;tile=7;ord=5[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZQK3RPKL\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=300x250;tagtype=js;uri=;pos=7;tile=7;ord=653[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZQK3RPKL\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=728x90;tagtype=js;dcopt=ist;uri=;pos=1;tile=[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZQK3RPKL\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=728x90;tagtype=js;dcopt=ist;uri=;pos=1;tile=[3] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\XWM8PIMB\boxed_sets;sz=300x250;s=48;s=176;s=140;s=12;s=64;s=92;s=210;s=49;s=199;s=177;s=156;s=128;s=55;s=145;s=28;s=3;s=1;s=98;s=10;s=75;s=37;s=16;s=179;s=88;s=51;s=27;s=172;s=14[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\WP4BQDOT\CASLQF8P.com%2Fsearch%3Fhl%3Den%26q%3Dtintin%2Bin%2Bthe%2Bcongo%26btnG%3DGoogle%2BSearch&cc=100&u_h=1024&u_w=1280&u_ah=990&u_aw=1280&u_cd=32&u_tz=-300&u_his=6&u_java=true not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\WP4BQDOT\gijoe-40th-Aniversary_W0QQsofocusZbsQQsbrftogZ1QQfromZR10QQsacatZ-1QQcatrefZC6QQsargnZ-1QQsaslcZ2QQsadisZ200QQfposZQ5AIPQ2FPostalQQftrtZ1QQftrvZ1QQfsopZ1QQfsooZ1[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\WP4BQDOT\gijoe-40th-Aniversary_W0QQsofocusZbsQQsbrftogZ1QQfromZR10QQsacatZ-1QQsargnZ-1QQsaslcZ2QQsadisZ200QQfposZQ5AIPQ2FPostalQQftrtZ1QQftrvZ1QQfsopZ1QQfsooZ1[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\WP4BQDOT\tintin_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10QQfrtsZ50QQfsooZ1QQfsopZ1QQfstypeZ1QQftrtZ1QQftrvZ1QQsacatZQ2d1QQsaprchiZQQsaprcloZ[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\WLA38LQV\gijoe-40th-Aniversary_W0QQsofocusZbsQQsbrftogZ1QQfromZR10QQsacatZ-1QQcatrefZC6QQsargnZ-1QQsaslcZ2QQsadisZ200QQfposZQ5AIPQ2FPostalQQftrtZ1QQftrvZ1QQfsopZ1QQfsooZ1QQcoacti[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\QT6DCF49\gijoe-40th-Aniversary_W0QQsofocusZbsQQsbrftogZ1QQcatrefZC6QQfromZR10QQsacatZ-1QQcatrefZC6QQsargnZ-1QQsaslcZ2QQsadisZ200QQfposZQ5AIPQ2FPostalQQftrtZ1QQftrvZ1QQfsopZ1QQfso[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1XU3I5K\home_;site=nbc;sect=home;sub=;genre=;daypart=;!category=home;!category=js;!category=nbc;network=tvn;sz=300x250;tagtype=js;uri=;pos=7;tile=7;ord=100457611671[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1XU3I5K\home_comcasttilelogo;site=nbc;sect=home;sub=comcasttilelogo;genre=reality;daypart=primetime;!category=home;!category=js;!category=nbc;network=tvn;sz=1x1;tagtype=js;uri=;[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1XU3I5K\home_comcasttilelogo;site=nbc;sect=home;sub=comcasttilelogo;genre=reality;daypart=primetime;!category=home;!category=js;!category=nbc;network=tvn;sz=1x1;tagtype=js;uri=;[3] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1XU3I5K\home_ribbon;site=nbc;sect=home;sub=ribbon;genre=;daypart=;!category=home;!category=js;!category=nbc;network=tvn;sz=1x1;tagtype=js;uri=;pos=9;tile=9;ord=153306805645[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1XU3I5K\rcru_games;site=nbc;sect=rcru;sub=games;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=728x90;tagtype=js;dcopt=ist;uri=;pos=1;til[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1XU3I5K\rcru_games;site=nbc;sect=rcru;sub=games;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=728x90;tagtype=js;dcopt=ist;uri=;pos=1;til[3] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1XU3I5K\rcru_gamesadventure;site=nbc;sect=rcru;sub=gamesadventure;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;!category=noexpand;network=tvn;sz=300x2[1] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q1XU3I5K\rcru_gamesadventure;site=nbc;sect=rcru;sub=gamesadventure;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;!category=noexpand;network=tvn;sz=300x2[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\GHMJ8XQF\gijoe-40th-Aneversary_W0QQsofocusZbsQQsbrftogZ1QQcatrefZC6QQfromZR10QQsacatZ-1QQcatrefZC6QQsargnZ-1QQsaslcZ2QQsadisZ200QQfposZQ5AIPQ2FPostalQQftrtZ1QQftrvZ1QQfsopZ1QQfso[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\GHMJ8XQF\gijoe-40th-Anevirsary_W0QQsofocusZbsQQsbrftogZ1QQfromZR10QQsacatZ-1QQcatrefZC6QQsargnZ-1QQsaslcZ2QQsadisZ200QQfposZQ5AIPQ2FPostalQQftrtZ1QQftrvZ1QQfsopZ1QQfsooZ1QQcoacti[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\GHMJ8XQF\GIJOE-40th-anniversary_W0QQsofocusZbsQQsbrftogZ1QQfromZR10QQsacatZ-1QQcatrefZC6QQsargnZ-1QQsaslcZ2QQsadisZ200QQfposZQ5AIPQ2FPostalQQftrtZ1QQftrvZ1QQfsopZ1QQfsooZ1[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\F37MTBLX\entertainment;comp=;ptype=story;pageid=495743;col=;kw=ramsay+gordon+restaurant;s1=entertainment;s2=null;pos=console300x100;url=story_0_2933_482726_00;fnc=ad;;sid=undefin[1] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\home_toyotawebexclusive;site=nbc;sect=home;sub=toyotawebexclusive;genre=comedy;daypart=primetime;!category=home;!category=js;!category=nbc;network=tvn;sz=1x1;tagtype=js;[1] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\home_toyotawebexclusive;site=nbc;sect=home;sub=toyotawebexclusive;genre=comedy;daypart=primetime;!category=home;!category=js;!category=nbc;network=tvn;sz=1x1;tagtype=js;[3] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\rcru_games;site=nbc;sect=rcru;sub=games;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=300x250;tagtype=js;uri=;pos=7;tile=7;ord=3[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\rcru_gamesadventure;site=nbc;sect=rcru;sub=gamesadventure;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;!category=noexpand;network=tvn;sz=300x2[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\rcru_gamesadventure;site=nbc;sect=rcru;sub=gamesadventure;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;!category=noexpand;network=tvn;sz=728x9[1] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\rcru_gamesadventure;site=nbc;sect=rcru;sub=gamesadventure;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;!category=noexpand;network=tvn;sz=728x9[3] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=300x250;tagtype=js;uri=;pos=7;tile=7;ord=930[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=300x250;tagtype=js;uri=;pos=7;tile=7;ord=967[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=728x90;tagtype=js;dcopt=ist;uri=;pos=1;tile=[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\DR73998A\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=728x90;tagtype=js;dcopt=ist;uri=;pos=1;tile=[3] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\B43BKAAE\drama;sz=728x90;s=48;s=176;s=140;s=12;s=64;s=92;s=210;s=49;s=199;s=177;s=156;s=128;s=55;s=145;s=28;s=3;s=1;s=98;s=10;s=75;s=37;s=16;s=179;s=88;s=51;s=27;s=172;s=144;s=32[1].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\B43BKAAE\drama;sz=728x90;s=48;s=176;s=140;s=12;s=64;s=92;s=210;s=49;s=199;s=177;s=156;s=128;s=55;s=145;s=28;s=3;s=1;s=98;s=10;s=75;s=37;s=16;s=179;s=88;s=51;s=27;s=172;s=144;s=32[2].htm not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\B43BKAAE\entertainment;comp=;ptype=story;pageid=495743;col=;kw=ramsay+gordon+restaurant;s1=entertainment;s2=null;pos=frame1;url=story_0_2933_482726_00;fnc=ad;;sid=undefined;sz=30[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\B43BKAAE\entertainment;dcopt=ist;comp=;ptype=story;pageid=495743;col=;kw=ramsay+gordon+restaurant;s1=entertainment;s2=null;pos=top;url=story_0_2933_482726_00;fnc=ad;;sid=undefine[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\87TNMYJL\1230082644@PageCounter,HeaderSpon,WindowShade,WxSpon,PageSpon,PageSpon2,PdSearch,PageSpon3,PageSpon4,PList1,PList2,PList3,PList4,PList5,PList6,Hidden1,Hidden2[1] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\87TNMYJL\home_;site=nbc;sect=home;sub=;genre=;daypart=;!category=home;!category=js;!category=nbc;network=tvn;sz=300x250;tagtype=js;uri=;pos=7;tile=7;ord=153306805645[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\87TNMYJL\home_;site=nbc;sect=home;sub=;genre=;daypart=;!category=home;!category=js;!category=nbc;network=tvn;sz=728x90;tagtype=js;dcopt=ist;uri=;pos=1;tile=1;ord=153306805645[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\87TNMYJL\home_comcastweblogo;site=nbc;sect=home;sub=comcastweblogo;genre=reality;daypart=primetime;!category=home;!category=js;!category=nbc;network=tvn;sz=1x1;tagtype=js;uri=;po[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\87TNMYJL\home_ribbon;site=nbc;sect=home;sub=ribbon;genre=;daypart=;!category=home;!category=js;!category=nbc;network=tvn;sz=1x1;tagtype=js;uri=;pos=9;tile=9;ord=100457611671[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\87TNMYJL\rcru_gamesadventure;site=nbc;sect=rcru;sub=gamesadventure;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;!category=noexpand;network=tvn;sz=728x9[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\87TNMYJL\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=300x250;tagtype=js;uri=;pos=7;tile=7;ord=684[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\87TNMYJL\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=300x250;tagtype=js;uri=;pos=7;tile=7;ord=825[2] not found!
File\Folder C:\Documents and Settings\Malia Becker\Local Settings\Temp\Temporary Internet Files\Content.IE5\87TNMYJL\rcru_home;site=nbc;sect=rcru;sub=home;genre=drama;daypart=primetime;!category=rcru;!category=js;!category=nbc;network=tvn;sz=728x90;tagtype=js;dcopt=ist;uri=;pos=1;tile=[2] not found!
Registry entries deleted on Reboot...
:bigthumb:
How are things running now, any redirects or unwanted POP Up windows ?
log from new OTL scan...
OTL logfile created on: 5/11/2011 7:21:31 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Malia Becker\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.03 Gb Total Space | 81.07 Gb Free Space | 54.39% Space Free | Partition Type: NTFS
Computer Name: SRS1 | User Name: Malia Becker | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Malia Becker\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Malia Becker\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software)
PRC - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (Sunbelt Software)
PRC - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe (Sunbelt Software)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
PRC - C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe (EMC Dantz)
PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCWIZARD.EXE (IBM Corp.)
PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE (IBM Corp.)
PRC - C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
PRC - C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)
PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
PRC - C:\Program Files\Intel\Wireless\Bin\1XConfig.exe (Intel)
PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe ()
PRC - C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
PRC - C:\WINDOWS\system32\TpKmpSvc.exe ()
PRC - C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe (IBM Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Malia Becker\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)
========== Win32 Services (SafeList) ==========
SRV - (SBAMSvc) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (Sunbelt Software)
SRV - (SBPIMSvc) -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe (Sunbelt Software)
SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (AdobeActiveFileMonitor5.0) -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe ()
SRV - (Retrospect Helper) -- C:\Program Files\Dantz\Retrospect 7.0\rthlpsvc.exe (EMC Dantz)
SRV - (RetroLauncher) -- C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe (EMC Dantz)
SRV - (QCONSVC) -- C:\WINDOWS\system32\QCONSVC.EXE (IBM Corp.)
SRV - (TpKmpSVC) -- C:\WINDOWS\system32\TpKmpSvc.exe ()
SRV - (ICDSPTSV) -- C:\WINDOWS\system32\IcdSptSv.exe (Sony Corporation)
========== Driver Services (SafeList) ==========
DRV - (SbTis) -- C:\WINDOWS\system32\drivers\sbtis.sys (Sunbelt Software, Inc.)
DRV - (sbapifs) -- C:\WINDOWS\system32\drivers\sbapifs.sys (Sunbelt Software)
DRV - (sbaphd) -- C:\WINDOWS\system32\drivers\sbaphd.sys (Sunbelt Software)
DRV - (SBRE) -- C:\WINDOWS\system32\drivers\SBREDrv.sys (Sunbelt Software)
DRV - (WDC_SAM) -- C:\WINDOWS\system32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - (elagopro) -- C:\WINDOWS\system32\drivers\elagopro.sys (Gteko Ltd.)
DRV - (elaunidr) -- C:\WINDOWS\system32\drivers\elaunidr.sys (Gteko Ltd.)
DRV - (QCNDISIF) -- C:\WINDOWS\system32\drivers\qcndisif.sys (IBM Corporation.)
DRV - (ANC) -- C:\WINDOWS\system32\drivers\ANC.sys (IBM Corp.)
DRV - (IBMTPCHK) -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS ()
DRV - (w29n51) Intel(R) -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (LT)
DRV - (TPPWR) -- C:\WINDOWS\system32\drivers\TPPWR.SYS (IBM Corp.)
DRV - (Smapint) -- C:\WINDOWS\system32\drivers\SMAPINT.SYS (Microsoft Corporation)
DRV - (TDSMAPI) -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS ()
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (TSMAPIP) -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS ()
DRV - (ICDUSB2) Sony IC Recorder (ST) -- C:\WINDOWS\system32\drivers\IcdUsb2.sys (Sony Corporation)
DRV - (S3SSavage) -- C:\WINDOWS\system32\drivers\s3ssavm.sys (S3 Graphics, Inc.)
DRV - (TwoTrack) -- C:\WINDOWS\system32\drivers\TwoTrack.sys (IBM Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.worldmag.com/index.cfm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.startup.homepage: "http://www.worldmag.com/index.cfm"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/14 21:13:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/10 18:44:37 | 000,000,000 | ---D | M]
[2009/08/18 20:24:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Malia Becker\Application Data\Mozilla\Extensions
[2011/05/10 08:39:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Malia Becker\Application Data\Mozilla\Firefox\Profiles\we1cutxq.default\extensions
[2010/07/12 07:23:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Malia Becker\Application Data\Mozilla\Firefox\Profiles\we1cutxq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/10/29 20:12:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Malia Becker\Application Data\Mozilla\Firefox\Profiles\we1cutxq.default\extensions\browserhighlighter@ebay.com
[2011/05/10 08:39:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/21 22:04:27 | 000,000,000 | ---D | M] (Move Media Player) -- C:\DOCUMENTS AND SETTINGS\MALIA BECKER\APPLICATION DATA\MOVE NETWORKS
[2008/12/08 14:45:47 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/09/20 18:48:45 | 000,442,368 | ---- | M] (Invenda Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol308.dll
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
O1 HOSTS File: ([2011/05/11 06:39:35 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [BMMGAG] C:\Program Files\ThinkPad\Utilities\PWRMONIT.DLL (IBM Corp.)
O4 - HKLM..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE ()
O4 - HKLM..\Run: [BMMMONWND] C:\Program Files\ThinkPad\Utilities\BATINFEX.DLL ()
O4 - HKLM..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe ()
O4 - HKLM..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE (IBM Corp.)
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
O4 - HKLM..\Run: [S3TRAY2] C:\WINDOWS\System32\S3Tray2.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (IBM Corporation)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
O4 - HKLM..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe ()
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKCU..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)
O4 - Startup: C:\Documents and Settings\Malia Becker\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Malia Becker\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} http://www.crsdata.net/CRSDataObject/CRSNInfo.cab (CRS Inc. Data Object)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} http://www.crsdata.net/investor/maps/downloads/mgaxctrlv65.cab (Autodesk MapGuide ActiveX Control)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} http://offers.e-centives.com/cif/download/bin/actxcab.cab (CBSTIEPrint Class)
O16 - DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} http://www.tellmemore-online.com/bin/tol7inst.cab (InstallerCtrl Class)
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://keymark.webex.com/client/v_mywebex-t20/support/ieatgpc.cab (GpcContainer Class)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O20 - Winlogon\Notify\QConGina: DllName - QConGina.dll - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Malia Becker\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Malia Becker\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/07/02 00:17:55 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{99e3d934-469c-11dc-9a50-0012f09225af}\Shell\AutoRun\command - "" = E:\wd_windows_tools\setup.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/05/11 06:39:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/10 18:41:01 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Malia Becker\Desktop\esetsmartinstaller_enu.exe
[2011/05/10 09:58:52 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Malia Becker\Desktop\OTL.exe
[2011/05/10 09:01:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Malia Becker\Application Data\Malwarebytes
[2011/05/10 09:01:46 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/10 09:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/05/10 09:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/10 09:01:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/10 09:01:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/10 09:01:11 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Malia Becker\Desktop\mbam-setup.exe
[2011/05/10 07:12:30 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Malia Becker\Desktop\TDSSKiller.exe
[2011/05/09 07:58:17 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Malia Becker\Desktop\aswMBR.exe
[2011/05/02 23:17:07 | 000,000,000 | ---D | C] -- C:\scan
[2011/05/02 23:12:01 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/05/02 23:12:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/15 07:21:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
[2011/04/14 21:37:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Malia Becker\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[4 C:\Documents and Settings\Malia Becker\My Documents\*.tmp files -> C:\Documents and Settings\Malia Becker\My Documents\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/05/11 07:11:34 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/11 07:11:30 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/11 07:10:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/11 07:10:14 | 1341,116,416 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/11 06:50:11 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/11 06:39:35 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/10 18:41:23 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Malia Becker\Desktop\esetsmartinstaller_enu.exe
[2011/05/10 09:58:56 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Malia Becker\Desktop\OTL.exe
[2011/05/10 09:01:46 | 000,000,787 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/10 08:54:16 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Malia Becker\Desktop\mbam-setup.exe
[2011/05/10 07:20:23 | 000,445,082 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/10 07:20:23 | 000,072,792 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/09 20:54:42 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/05/09 20:00:00 | 000,000,636 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Malia Becker.job
[2011/05/09 19:18:23 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Malia Becker\Desktop\aswMBR.exe
[2011/05/09 18:13:19 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\MBR.dat
[2011/05/09 08:35:41 | 000,001,030 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Start Menu\Programs\Startup\Dropbox.lnk
[2011/05/09 08:35:41 | 000,001,030 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Dropbox.lnk
[2011/05/09 08:20:09 | 000,000,911 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\cfg
[2011/05/02 23:12:02 | 000,000,595 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\ERUNT.lnk
[2011/05/02 16:02:26 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\dds.com
[2011/05/01 14:21:34 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Malia Becker\Desktop\TDSSKiller.exe
[2011/04/30 15:30:20 | 000,020,921 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Lowes Proof of Purchase Claim Form FINAL.pdf
[2011/04/28 22:39:24 | 000,857,179 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Jack's sample #3.jpg
[2011/04/28 12:52:41 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/04/16 07:20:28 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/04/16 07:15:27 | 000,175,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/16 00:03:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/15 07:24:50 | 000,945,817 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Writing sample.jpg
[2011/04/15 07:23:58 | 000,071,352 | ---- | M] () -- C:\Documents and Settings\Malia Becker\Desktop\Writing sample.tif
[4 C:\Documents and Settings\Malia Becker\My Documents\*.tmp files -> C:\Documents and Settings\Malia Becker\My Documents\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/05/10 09:01:46 | 000,000,787 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/10 07:07:17 | 1341,116,416 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/09 20:54:42 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/05/09 08:20:09 | 000,000,911 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\cfg
[2011/05/09 08:00:11 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\MBR.dat
[2011/05/02 23:18:40 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\dds.com
[2011/05/02 23:12:02 | 000,000,595 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\ERUNT.lnk
[2011/04/30 15:30:18 | 000,020,921 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\Lowes Proof of Purchase Claim Form FINAL.pdf
[2011/04/28 22:39:24 | 000,857,179 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\Jack's sample #3.jpg
[2011/04/15 07:24:50 | 000,945,817 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\Writing sample.jpg
[2011/04/15 07:23:58 | 000,071,352 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Desktop\Writing sample.tif
[2011/01/03 14:01:23 | 000,032,360 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/12/05 01:16:51 | 000,106,200 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/10/04 20:25:45 | 000,000,104 | ---- | C] () -- C:\WINDOWS\Library.ini
[2009/08/28 20:30:33 | 000,000,281 | ---- | C] () -- C:\WINDOWS\Kofax200.ini
[2009/08/20 13:35:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/08/18 20:24:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/07/16 21:10:07 | 000,000,048 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2006/11/03 19:19:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2006/08/31 11:34:24 | 000,051,392 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2006/01/04 21:24:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2005/08/15 17:13:07 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS69.DLL
[2005/08/11 19:07:37 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll
[2005/08/11 19:07:36 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\dsp_trc.dll
[2005/07/13 11:55:14 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Local Settings\Application Data\fusioncache.dat
[2005/07/13 11:27:55 | 000,000,367 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP12.INI
[2005/07/04 08:00:20 | 000,043,008 | ---- | C] () -- C:\Documents and Settings\Malia Becker\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/02 00:35:03 | 000,053,248 | R--- | C] () -- C:\WINDOWS\UpdtNv28.exe
[2005/06/26 01:17:33 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/25 12:12:21 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/06/25 12:11:07 | 000,184,320 | ---- | C] () -- C:\WINDOWS\TPBATHLP.EXE
[2005/06/25 12:09:36 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2005/06/25 12:09:02 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2005/06/25 12:09:02 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2005/06/25 12:08:21 | 000,002,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.SYS
[2005/06/25 11:52:01 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/06/25 11:52:01 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/06/25 11:52:01 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/06/25 11:52:01 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/06/25 11:52:01 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/06/25 11:52:01 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/06/25 11:50:28 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/06/25 11:49:59 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pxhpinst.exe
[2005/06/25 11:41:34 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2005/06/25 11:40:44 | 000,009,341 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2005/06/25 11:37:08 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\TpKmpSvc.exe
[2005/06/25 11:36:54 | 000,114,688 | ---- | C] () -- C:\WINDOWS\_tpiu000.exe
[2005/06/25 10:12:50 | 000,002,481 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/11/08 20:12:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/02 17:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/03/19 15:12:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\pwdmon.dll
[2004/01/09 09:10:32 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\AIBMRUNL.dll
[2003/02/20 12:32:29 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/02/20 12:18:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/02/20 12:09:47 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/02/20 12:03:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/02/20 12:02:39 | 000,175,464 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/14 12:00:26 | 000,038,567 | ---- | C] () -- C:\WINDOWS\System32\pcpbios.exe
[2002/01/09 21:38:20 | 000,106,496 | ---- | C] () -- C:\WINDOWS\desktopset.exe
[2001/08/23 10:26:08 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2001/08/23 10:24:30 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[1998/08/16 05:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[1980/01/01 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[1980/01/01 03:00:00 | 000,445,082 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[1980/01/01 03:00:00 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[1980/01/01 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[1980/01/01 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[1980/01/01 03:00:00 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[1980/01/01 03:00:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[1980/01/01 03:00:00 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[1980/01/01 03:00:00 | 000,072,792 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[1980/01/01 03:00:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ibmpmsvc.exe
[1980/01/01 03:00:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[1980/01/01 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[1980/01/01 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[1980/01/01 03:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[1980/01/01 03:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[1980/01/01 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
========== Alternate Data Streams ==========
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
No redirects or pop-ups occurring. Good sign!
Anything else hidden I should search for?
Also, do we know what this infection was? Anything obvious we should be doing to prevent it?
You where infected by the latest version of the TDSS Rootkit, many ways to get this, File Sharing with the Torrents, downloading illegal software, opening attachments in your mail from people you dont know or just plain wandering into an infected website.
With the seriousness of this infection there could be more lurking.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Results of ComboFix...
ComboFix 11-05-10.02 - Malia Becker 05/11/2011 9:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.579 [GMT -4:00]
Running from: c:\documents and settings\Malia Becker\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Malia Becker\Application Data\.#
C:\Images
c:\program files\IBM\Updater\ucstartup.exe
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\bszip.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-11 10:39 . 2011-05-11 10:39 -------- d-----w- C:\_OTL
2011-05-10 13:01 . 2011-05-10 13:01 -------- d-----w- c:\documents and settings\Malia Becker\Application Data\Malwarebytes
2011-05-10 13:01 . 2011-05-10 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-10 13:01 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-10 13:01 . 2011-05-10 13:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-10 13:01 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-03 03:17 . 2011-05-09 22:24 -------- d-----w- C:\scan
2011-05-03 03:12 . 2011-05-03 03:12 -------- d-----w- c:\program files\ERUNT
2011-04-15 11:21 . 2011-04-15 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2011-04-15 01:37 . 2011-04-15 01:37 -------- d-----w- c:\documents and settings\Malia Becker\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 11:15 . 2005-06-25 15:14 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2011-03-07 05:33 . 2003-02-20 16:10 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 1980-01-01 07:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 1980-01-01 07:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-20 18:17 . 2008-08-10 18:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-17 13:51 . 2005-06-25 15:21 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 1980-01-01 07:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 1980-01-01 07:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:18 . 1980-01-01 07:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 1980-01-01 07:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2005-06-25 15:21 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-16 12:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 1980-01-01 07:00 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Malia Becker\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Malia Becker\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Malia Becker\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Malia Becker\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 442368]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 69632]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-06-16 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-06-16 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TpShocks"="TpShocks.exe" [2004-03-27 102400]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 94208]
"TP4EX"="tp4ex.exe" [2002-09-04 53248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 442368]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2005-03-18 745472]
"QCWLICON"="c:\progra~1\ThinkPad\CONNEC~1\QCWLIcon.exe" [2005-03-18 86016]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 395776]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-08-20 1348944]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
.
c:\documents and settings\Malia Becker\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Malia Becker\Application Data\Dropbox\bin\Dropbox.exe [2011-5-3 24172208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2008-12-9 1783128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 10:07 262144 ----a-w- c:\windows\system32\QConGina.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 03:11 24576 ----a-w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-09-14 12:55 61440 ----a-w- c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 21:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KDTray]
2009-05-27 20:16 278528 ----a-w- c:\program files\Kofax\Kofax Desktop\bin\KofaxDesktopTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-09 03:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-10 12:38 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\Program Files\\Dantz\\Retrospect 7.0\\Retrospect.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Malia Becker\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [9/5/2010 9:18 AM 21464]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/13/2010 7:56 AM 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [9/5/2010 9:14 AM 212568]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/25/2005 12:11 PM 16384]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [9/5/2010 9:18 AM 69976]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [8/20/2010 9:15 AM 181584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 5:20 PM 135664]
S2 SBAMSvc;VIPRE Antivirus;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [8/20/2010 9:16 AM 2763080]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 5:20 PM 135664]
S3 ICDUSB2;Sony IC Recorder (ST);c:\windows\system32\drivers\IcdUsb2.sys [8/11/2005 7:07 PM 39048]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [6/25/2005 12:08 PM 12288]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2005-11-05 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-06-25 08:37]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 21:20]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 21:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.worldmag.com/index.cfm
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} - hxxp://www.crsdata.net/CRSDataObject/CRSNInfo.cab
DPF: {C7C7152F-6E85-44F3-A14B-A7F85FDDEA3B} - hxxp://www.tellmemore-online.com/bin/tol7inst.cab
FF - ProfilePath - c:\documents and settings\Malia Becker\Application Data\Mozilla\Firefox\Profiles\we1cutxq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.worldmag.com/index.cfm
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Malia Becker\Application Data\Move Networks
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-UC_Start - c:\program files\IBM\Updater\\ucstartup.exe
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 09:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll
.
Completion time: 2011-05-11 09:16:11
ComboFix-quarantined-files.txt 2011-05-11 13:15
.
Pre-Run: 86,906,540,032 bytes free
Post-Run: 86,881,947,648 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - 511DFE0EAF4A005DC82E237E58D05307
:bigthumb:
How is your system behaving now ?
So far all seems to be working as it should with regard to internet (Google results no longer redirected).
We still have problems with Word and Excel (2003) complaining that they have encountered a problem and need to close AFTER you have already initiated closing them, but that has been going on for at least 5 months now, so I would think that is probably a Microsoft bug (due to some XP or library update), unrelated to this root kit/malware infection.
:bigthumb:
Why dont you post here in this forum for your Excel problem as we just do malware removal on this one. All us forums work together so feel free to link them to this thread so they can see what we have done.
http://forums.whatthetech.com/index.php?showforum=120
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Ken, Thank you for your assistance in cleaning up our mess!
Your very welcome
Take care,
Ken :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.