Jump to content

Olmarik.tdl4 remnant issues. Help appreciated.


Recommended Posts

So then, in your opinion, the system is as clean as possible for now and there are no additional steps to take? (I understand the possibly remaining residual risks from having been infected by a Backdoor trojan which you mentioned at the beginning).

Do I need to remove Combofix, TDSSKiller, etc or should I hang onto those for future reference?

Also, any idea why RogueKiller caused those problems I previously mentioned (about causing the BSOD and taskbar/Windows freezes upon restart)?

Thanks.

Link to post
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Do I need to remove Combofix, TDSSKiller, etc or should I hang onto those for future reference?

Please uninstall ComboFix:

www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Next, manually delete DDS, TDSSKiller and JavaRa.

Some malware prevention tips here:

http://forums.malwarebytes.org/index.php?showtopic=104379

Also, any idea why RogueKiller caused those problems I previously mentioned (about causing the BSOD and taskbar/Windows freezes upon restart)?

This is Malwarebytes' Anti-Malware Forums. For similiar questions contact the developer.

http://www.sur-la-toile.com/RogueKiller/

Link to post
Share on other sites

Actually, I tried running Roguekiller again to see if maybe it was crashing because of the malware before. This time, I was able to get it to successfully run and it found one entry. Please see the log below:

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: d [Admin rights]

Mode: Scan -- Date: 07/24/2012 15:42:40

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L --> FOUND

[ZeroAccess][FILE] @ : c:\documents and settings\d\local settings\application data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\documents and settings\d\local settings\application data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\documents and settings\d\local settings\application data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L --> FOUND

[Faked.Drv][FAKED] fltMgr.sys : c:\windows\system32\drivers\fltMgr.sys --> CANNOT FIX

[Faked.Drv][FAKED] mf.sys : c:\windows\system32\drivers\mf.sys --> CANNOT FIX

[Faked.Drv][FAKED] nic1394.sys : c:\windows\system32\drivers\nic1394.sys --> CANNOT FIX

[Faked.Drv][FAKED] nwlnknb.sys : c:\windows\system32\drivers\nwlnknb.sys --> CANNOT FIX

[Faked.Drv][FAKED] serial.sys : c:\windows\system32\drivers\serial.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (ALvldr.sys @ 0xB990A7E6)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG MMCQE28G8MUP-0VA +++++

--- User ---

[MBR] 8fede7d59eefb86210a17e6e811edb02

[bSP] 76eced74339309ac5fccd08057324ebb : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 117153 Mo

1 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 239931392 | Size: 4949 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

The only option I am given is to delete or fix the registry entry related to "NewStartPanel". Should I also be concerned with the things RK states "Cannot Fix"? Please advise.

Link to post
Share on other sites

That's why I don't like this tool cause panic for no reason. One last check:

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Link to post
Share on other sites

OTL.txt File

OTL logfile created on: 7/24/2012 4:16:50 PM - Run 1

OTL by OldTimer - Version 3.2.54.1 Folder = C:\Documents and Settings\d\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.90 Gb Total Physical Memory | 1.69 Gb Available Physical Memory | 58.41% Memory free

4.74 Gb Paging File | 3.32 Gb Available in Paging File | 70.05% Paging File free

Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 114.41 Gb Total Space | 1.85 Gb Free Space | 1.62% Space Free | Partition Type: NTFS

Computer Name: BCS-FF2C23D2798 | User Name: d | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/24 16:15:49 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\d\Desktop\OTL.exe

PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2012/03/23 14:25:24 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe

PRC - [2011/05/16 15:49:28 | 000,676,312 | ---- | M] (Lenovo) -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dcute.exe

PRC - [2011/05/16 15:49:28 | 000,085,464 | ---- | M] () -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dqscrproj.exe

PRC - [2011/05/16 15:49:28 | 000,033,240 | ---- | M] (lenovo) -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dqscrproxy.exe

PRC - [2011/04/10 16:06:42 | 000,951,656 | ---- | M] (DisplayLink Corp.) -- C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe

PRC - [2011/04/10 16:06:40 | 000,730,472 | ---- | M] (DisplayLink Corp.) -- C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe

PRC - [2011/04/10 16:06:38 | 005,240,168 | ---- | M] (DisplayLink Corp.) -- C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe

PRC - [2010/11/03 19:19:24 | 000,094,024 | ---- | M] (Sling Media Inc.) -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

PRC - [2010/08/25 01:28:00 | 000,132,456 | ---- | M] (Lenovo.) -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE

PRC - [2010/08/25 01:28:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe

PRC - [2010/07/27 17:05:00 | 000,069,560 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

PRC - [2010/04/26 13:46:32 | 000,144,824 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe

PRC - [2010/04/07 14:37:22 | 000,063,928 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe

PRC - [2010/04/01 14:50:44 | 000,043,960 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe

PRC - [2010/03/05 13:01:46 | 000,862,480 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe

PRC - [2010/03/05 12:54:20 | 000,954,368 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

PRC - [2010/03/05 12:43:50 | 000,473,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

PRC - [2010/02/22 16:50:16 | 000,810,120 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

PRC - [2010/02/22 16:49:56 | 002,140,880 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

PRC - [2010/02/05 06:44:44 | 000,118,784 | ---- | M] (AuthenTec,Inc) -- C:\WINDOWS\system32\FpLogonServ.exe

PRC - [2010/02/05 06:43:20 | 000,098,304 | ---- | M] () -- C:\WINDOWS\system32\DTS.exe

PRC - [2010/02/05 06:39:58 | 001,824,064 | ---- | M] (AuthenTec, Inc.) -- C:\WINDOWS\system32\AtService.exe

PRC - [2009/11/24 13:51:18 | 000,176,056 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

PRC - [2009/06/12 10:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe

PRC - [2009/02/12 12:48:42 | 002,058,776 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

PRC - [2008/10/30 18:23:52 | 000,031,744 | ---- | M] (Ricoh co.,Ltd.) -- C:\Program Files\RotateImage\RCIMGDIR.exe

PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/09/26 17:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

========== Modules (No Company Name) ==========

MOD - [2012/07/06 13:29:58 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll

MOD - [2012/07/05 21:32:25 | 000,060,928 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\f121ccced1aa14badb316d8d9be5154d\UIAutomationProvider.ni.dll

MOD - [2012/07/05 21:32:23 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll

MOD - [2012/07/05 21:30:16 | 001,592,320 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll

MOD - [2012/07/05 21:27:21 | 000,539,648 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8b873631a0855fb6aa0ad25f1d9de7fe\PresentationFramework.Luna.ni.dll

MOD - [2012/07/05 21:26:05 | 012,218,368 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\f33e2a4d9b385234406fa2d662f78875\PresentationCore.ni.dll

MOD - [2012/07/05 21:25:47 | 003,325,440 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\6d8bef0d008389874e55c0308f0c18e5\WindowsBase.ni.dll

MOD - [2012/07/05 21:25:25 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll

MOD - [2012/07/05 21:25:14 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll

MOD - [2012/07/05 21:25:05 | 005,283,840 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll

MOD - [2012/03/23 14:25:24 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe

MOD - [2012/03/11 14:55:40 | 000,088,656 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll

MOD - [2011/05/16 15:49:28 | 000,085,464 | ---- | M] () -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dqscrproj.exe

MOD - [2010/08/25 01:28:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRO.DLL

MOD - [2010/08/25 01:28:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe

MOD - [2010/08/25 01:28:00 | 000,036,352 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL

MOD - [2010/08/10 00:01:06 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

MOD - [2010/03/15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll

MOD - [2010/02/05 06:43:20 | 000,098,304 | ---- | M] () -- C:\WINDOWS\system32\DTS.exe

MOD - [2010/02/05 06:42:38 | 000,634,880 | ---- | M] () -- C:\Program Files\Lenovo Fingerprint Software\SharedResources.dll

========== Win32 Services (SafeList) ==========

SRV - [2012/07/22 20:37:01 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Stopped] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2012/07/17 18:04:42 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2012/03/23 14:25:24 | 000,087,040 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)

SRV - [2011/05/16 15:49:28 | 000,085,464 | ---- | M] () [Auto | Running] -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dqscrproj.exe -- (ScrProj)

SRV - [2011/04/10 16:06:38 | 005,240,168 | ---- | M] (DisplayLink Corp.) [Auto | Running] -- C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe -- (DisplayLinkService)

SRV - [2010/11/03 19:19:24 | 000,094,024 | ---- | M] (Sling Media Inc.) [Auto | Running] -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe -- (SlingAgentService)

SRV - [2010/08/25 01:28:00 | 000,132,456 | ---- | M] (Lenovo.) [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE -- (DozeSvc)

SRV - [2010/08/25 01:28:00 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)

SRV - [2010/04/07 14:37:22 | 000,063,928 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)

SRV - [2010/04/07 12:02:16 | 000,045,496 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)

SRV - [2010/03/05 13:01:46 | 000,862,480 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)

SRV - [2010/03/05 12:54:20 | 000,954,368 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor)

SRV - [2010/03/05 12:43:50 | 000,473,360 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)

SRV - [2010/02/22 16:52:52 | 000,033,560 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)

SRV - [2010/02/22 16:50:16 | 000,810,120 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)

SRV - [2010/02/05 06:44:44 | 000,118,784 | ---- | M] (AuthenTec,Inc) [Auto | Running] -- C:\WINDOWS\system32\FpLogonServ.exe -- (FingerprintServer)

SRV - [2010/02/05 06:43:20 | 000,098,304 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\DTS.exe -- (dtsvc)

SRV - [2010/02/05 06:43:16 | 000,106,496 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\ADMonitor.exe -- (ADMonitor)

SRV - [2010/02/05 06:39:58 | 001,824,064 | ---- | M] (AuthenTec, Inc.) [Auto | Running] -- C:\WINDOWS\system32\AtService.exe -- (ATService)

SRV - [2009/06/12 10:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)

SRV - [2009/02/12 12:48:42 | 002,058,776 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS)

SRV - [2007/09/26 17:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)

DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)

DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)

DRV - File not found [Kernel | System | Stopped] -- -- (Changer)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\d\LOCALS~1\Temp\catchme.sys -- (catchme)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ax88772.sys -- (AX88772)

DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\d\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)

DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2012/04/09 19:13:13 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)

DRV - [2011/06/02 11:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)

DRV - [2011/05/16 15:49:28 | 000,055,256 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dqbridge.sys -- (dqbridge)

DRV - [2011/05/16 15:49:28 | 000,019,928 | ---- | M] (lenovo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dqVDDrvK.sys -- (dqVDDrv)

DRV - [2011/05/16 15:49:26 | 000,029,656 | ---- | M] (Lenovo Soft Corporation(32)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ALvldr.sys -- (ALvldr)

DRV - [2011/04/10 16:07:03 | 000,024,448 | ---- | M] (DisplayLink Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DisplayLinkmirrorport.sys -- (DisplayLinkmirror)

DRV - [2011/04/10 16:07:03 | 000,007,296 | ---- | M] (DisplayLink Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DisplayLinkFilter.sys -- (DisplayLinkFilter)

DRV - [2010/08/25 01:28:00 | 000,024,304 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\DOZEHDD.SYS -- (DozeHDD)

DRV - [2010/08/25 01:28:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)

DRV - [2010/07/18 14:58:34 | 000,822,400 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)

DRV - [2010/07/14 15:20:08 | 000,025,560 | ---- | M] (Lenovo) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dqusb.sys -- (dqusb)

DRV - [2010/06/22 18:01:50 | 000,021,248 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot)

DRV - [2010/03/18 01:15:18 | 006,601,216 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32)

DRV - [2010/02/22 16:51:10 | 000,095,872 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)

DRV - [2010/02/22 16:50:06 | 000,114,984 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)

DRV - [2010/02/22 16:47:20 | 000,139,192 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)

DRV - [2010/02/05 10:14:14 | 000,661,448 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF)

DRV - [2009/12/09 14:54:46 | 000,154,672 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)

DRV - [2009/12/08 14:11:40 | 000,031,680 | R--- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)

DRV - [2009/10/23 16:40:30 | 000,187,776 | ---- | M] (Ricoh co.,Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RCUVCMNP.sys -- (5U875UVC)

DRV - [2009/10/09 12:12:02 | 000,120,360 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsX86.sys -- (Shockprf)

DRV - [2009/10/09 12:10:24 | 000,020,520 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsHM86.sys -- (TPDIGIMN)

DRV - [2009/08/10 04:46:38 | 000,013,952 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)

DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)

DRV - [2008/09/19 16:29:54 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress)

DRV - [2008/05/12 18:04:02 | 000,013,480 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smiif32.sys -- (lenovo.smi)

DRV - [2008/03/26 13:21:06 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)

DRV - [2007/07/16 17:29:33 | 000,017,432 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052111302-261903793-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)

FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)

FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/17 18:04:44 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/07/22 19:22:10 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012/07/22 16:42:07 | 000,000,000 | ---D | M]

[2010/09/20 10:02:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\d\Application Data\Mozilla\Extensions

[2012/06/04 19:49:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions

[2011/12/04 07:37:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2012/06/04 19:49:26 | 000,000,000 | ---D | M] (WebSlingPlayer) -- C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}

[2010/10/03 14:05:11 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\vshare@toolbar

[2012/07/03 09:17:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2012/07/17 18:04:44 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2012/04/11 16:34:06 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2012/04/11 16:34:06 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/07/22 16:06:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)

O4 - HKLM..\Run: [FingerPrintSoftware] C:\Program Files\Lenovo Fingerprint Software\fpapp.exe (Authentec,Inc)

O4 - HKLM..\Run: [HPUsageTracking] c:\Program Files\HP\HP UT\bin\hppusg.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [Lenovo dCute] C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dCute.exe (Lenovo)

O4 - HKLM..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe (Lenovo Group Limited)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()

O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)

O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)

O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)

O4 - HKLM..\Run: [RotateImage] C:\Program Files\RotateImage\RCIMGDIR.exe (Ricoh co.,Ltd.)

O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O15 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341536361125 (WUWebControl Class)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{821D4603-DA1E-47B9-8BD9-E97EEBC1D518}: DhcpNameServer = 75.75.75.75 75.75.76.76

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\ATFUS: DllName - (C:\WINDOWS\system32\FpWinLogonNp.dll) - C:\WINDOWS\system32\FpWinlogonNp.dll (AuthenTec,Inc)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/09/20 12:04:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/24 16:15:49 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\d\Desktop\OTL.exe

[2012/07/24 15:42:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\d\Desktop\RK_Quarantine

[2012/07/23 23:49:03 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2012/07/23 11:25:08 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2012/07/22 21:33:08 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine

[2012/07/22 21:20:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\d\Recent

[2012/07/22 20:43:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner

[2012/07/22 20:39:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2012/07/22 20:38:32 | 000,000,000 | ---D | C] -- C:\Program Files\Oracle

[2012/07/22 20:36:37 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2012/07/22 20:36:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee

[2012/07/22 18:12:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\d\Local Settings\Application Data\ESET

[2012/07/22 16:42:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ESET

[2012/07/22 16:42:01 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2012/07/22 16:42:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET

[2012/07/22 15:56:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\d\Start Menu\Programs\Administrative Tools

[2012/07/22 15:56:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt

[2012/07/21 22:05:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2012/07/21 22:05:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2012/07/20 19:30:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\d\Local Settings\Application Data\CutePDF Writer

[2012/07/20 19:29:44 | 000,000,000 | ---D | C] -- C:\Program Files\GPLGS

[2012/07/20 19:28:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CutePDF

[2012/07/20 19:28:05 | 000,000,000 | ---D | C] -- C:\Program Files\Acro Software

[2012/07/17 18:44:15 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab

[2012/07/17 18:44:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\d\Application Data\SystemRequirementsLab

[2012/07/17 18:22:51 | 000,000,000 | ---D | C] -- C:\Program Files\Lenovo USB Port Replicator

[2012/07/17 18:22:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lenovo USB Port Replicator

[2012/07/15 04:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2012/07/15 04:10:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

[2012/07/05 19:30:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/07/05 19:29:59 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/24 16:15:49 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\d\Desktop\OTL.exe

[2012/07/24 15:40:36 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/07/24 15:40:23 | 001,552,384 | ---- | M] () -- C:\Documents and Settings\d\Desktop\RogueKiller.exe

[2012/07/24 15:39:07 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\TEMP

[2012/07/24 14:53:48 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job

[2012/07/23 18:12:05 | 000,508,390 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2012/07/23 18:12:04 | 000,090,666 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2012/07/23 17:55:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/07/23 17:55:34 | 3112,198,144 | -HS- | M] () -- C:\hiberfil.sys

[2012/07/23 11:25:16 | 000,000,327 | RHS- | M] () -- C:\boot.ini

[2012/07/23 03:49:43 | 000,217,600 | ---- | M] () -- C:\Documents and Settings\d\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/07/23 03:24:26 | 000,204,120 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2012/07/22 21:44:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2012/07/22 20:55:08 | 2145,386,496 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP

[2012/07/22 20:42:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\d\defogger_reenable

[2012/07/22 17:21:13 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat

[2012/07/22 16:06:33 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2012/07/20 19:31:15 | 000,140,609 | ---- | M] () -- C:\Documents and Settings\d\Desktop\YS Tix 3.pdf

[2012/07/20 19:30:52 | 000,140,583 | ---- | M] () -- C:\Documents and Settings\d\Desktop\YS Tix 2.pdf

[2012/07/20 19:30:12 | 000,140,512 | ---- | M] () -- C:\Documents and Settings\d\Desktop\YS Tix 1.pdf

[2012/07/20 19:04:46 | 017,178,218 | ---- | M] () -- C:\Documents and Settings\d\Desktop\bullsbeat_245.mp3

[2012/07/17 21:25:58 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/07/11 23:12:33 | 000,037,311 | ---- | M] () -- C:\Documents and Settings\d\Desktop\Groupon_chikalicious.pdf

[2012/07/05 13:05:50 | 004,503,728 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\l_u0_0.pad

[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/07/01 17:39:46 | 000,002,641 | ---- | M] () -- C:\Documents and Settings\d\Desktop\images.jpg

[2012/06/26 04:59:21 | 000,009,420 | ---- | M] () -- C:\Documents and Settings\d\Desktop\SAC.jpg

[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/24 15:40:22 | 001,552,384 | ---- | C] () -- C:\Documents and Settings\d\Desktop\RogueKiller.exe

[2012/07/23 11:25:16 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2012/07/23 11:25:13 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2012/07/22 21:44:17 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK

[2012/07/22 21:23:56 | 3112,198,144 | -HS- | C] () -- C:\hiberfil.sys

[2012/07/22 20:42:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\d\defogger_reenable

[2012/07/22 16:03:13 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\TEMP

[2012/07/20 19:31:15 | 000,140,609 | ---- | C] () -- C:\Documents and Settings\d\Desktop\YS Tix 3.pdf

[2012/07/20 19:30:51 | 000,140,583 | ---- | C] () -- C:\Documents and Settings\d\Desktop\YS Tix 2.pdf

[2012/07/20 19:30:11 | 000,140,512 | ---- | C] () -- C:\Documents and Settings\d\Desktop\YS Tix 1.pdf

[2012/07/20 19:28:14 | 000,088,656 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll

[2012/07/20 19:04:38 | 017,178,218 | ---- | C] () -- C:\Documents and Settings\d\Desktop\bullsbeat_245.mp3

[2012/07/15 04:02:24 | 000,000,804 | ---- | C] () -- C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L\00000004.@

[2012/07/11 23:12:33 | 000,037,311 | ---- | C] () -- C:\Documents and Settings\d\Desktop\Groupon_chikalicious.pdf

[2012/07/05 21:40:08 | 000,725,840 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2012/07/05 21:01:14 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2012/07/05 21:01:14 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll

[2012/07/05 12:53:36 | 004,503,728 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\l_u0_0.pad

[2012/07/01 17:39:46 | 000,002,641 | ---- | C] () -- C:\Documents and Settings\d\Desktop\images.jpg

[2012/06/26 04:59:21 | 000,009,420 | ---- | C] () -- C:\Documents and Settings\d\Desktop\SAC.jpg

[2012/04/09 19:21:59 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc

[2011/05/16 15:49:28 | 000,055,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\dqbridge.sys

[2010/10/09 18:11:20 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/10/09 16:41:52 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat

[2010/10/04 05:28:49 | 000,000,619 | ---- | C] () -- C:\WINDOWS\System32\hppapr13.dat

[2010/10/04 05:28:04 | 000,172,891 | ---- | C] () -- C:\WINDOWS\hppins13.dat

[2010/10/04 05:28:04 | 000,006,760 | ---- | C] () -- C:\WINDOWS\hppmdl13.dat

[2010/09/27 19:52:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2010/09/26 17:43:01 | 000,045,612 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/09/21 02:22:54 | 000,196,608 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE

[2010/09/21 02:22:53 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS

[2010/09/20 12:07:23 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2010/09/20 12:01:27 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2010/09/20 10:09:21 | 000,982,240 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin

[2010/09/20 10:09:19 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll

[2010/09/20 10:09:17 | 000,439,308 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin

[2010/09/20 10:09:17 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config

[2010/09/20 10:02:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2010/09/20 09:48:03 | 000,217,600 | ---- | C] () -- C:\Documents and Settings\d\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/09/20 04:50:43 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2010/09/20 04:49:29 | 000,204,120 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2008/04/14 06:41:26 | 000,002,048 | ---- | C] () -- C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@

[2008/04/14 06:41:26 | 000,002,048 | ---- | C] () -- C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@

========== LOP Check ==========

[2010/09/30 18:27:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM

[2010/12/23 18:32:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco Systems

[2012/04/09 19:12:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite

[2010/10/09 15:09:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\debugout

[2012/07/22 16:42:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET

[2012/06/04 22:03:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sling Media

[2010/09/27 23:02:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2010/09/30 18:28:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\acccore

[2010/09/20 14:59:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\CachedFiles

[2012/07/22 20:45:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\DAEMON Tools Lite

[2012/06/12 01:22:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\Oracle

[2012/06/04 19:49:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\Sling Media

[2012/07/17 18:44:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\SystemRequirementsLab

[2011/12/28 03:00:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\Windows Desktop Search

[2012/03/19 21:20:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\Windows Search

[2012/07/24 14:53:48 | 000,000,292 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:502D809E

< End of report >

Link to post
Share on other sites

Extras.txt file

OTL Extras logfile created on: 7/24/2012 4:16:50 PM - Run 1

OTL by OldTimer - Version 3.2.54.1 Folder = C:\Documents and Settings\d\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.90 Gb Total Physical Memory | 1.69 Gb Available Physical Memory | 58.41% Memory free

4.74 Gb Paging File | 3.32 Gb Available in Paging File | 70.05% Paging File free

Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 114.41 Gb Total Space | 1.85 Gb Free Space | 1.62% Space Free | Partition Type: NTFS

Computer Name: BCS-FF2C23D2798 | User Name: d | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2052111302-261903793-725345543-1003\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"UpdatesDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0360D8F0-626A-4E87-8A16-938BD0BEBCC5}" = 32 Bit HP CIO Components Installer

"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser

"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java 7 Update 5

"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes

"{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer

"{3D8994A3-02A8-45B5-B955-53E608BC69ED}" = Lenovo Fingerprint Software

"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System

"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM

"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer

"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder

"{6F801026-6AF0-4520-9153-4C9B4CAAB361}" = HP LaserJet P2050 Series 6.0

"{70E2B27F-0B7F-41B2-8145-E7377BC9F75A}" = DisplayLink Graphics

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{78E83B4F-7230-4F0B-B1AD-8DDF05473D6F}" = Intel® PROSet/Wireless WiFi Software

"{82EB6CEA-749A-410F-8AD2-372A286BA3BE}" = Integrated Camera Driver Installer Package Ver.1.32.500.0

"{861C4DFA-E691-4BA6-BE6B-D5BA211990B6}" = DisplayLink Core Software

"{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update

"{87B8375F-AAC4-417D-BB00-2EE6FBF898E7}" = ESET NOD32 Antivirus

"{89B6F63A-7E0C-424A-9D39-C4EF59E96D78}" = hppQFolderP2050

"{8B784DB3-2DBF-4660-863C-CAD974C047C7}" = hppusgP2050

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{995F2783-8311-49BF-833E-DB659774B4F6}" = hppFonts

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ThinkPad UltraNav Driver

"{9fe85a45-5110-487a-a3da-c4b7b78d5514}" = Lenovo USB Port Replicator with Digital Video

"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Power Manager

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update

"{C5DA59CF-2BB8-48D5-8E5B-17F2E0F0FEE4}" = System Requirements Lab for Intel

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support

"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch

"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support

"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime

"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver

"0481B164C8D1D26C560D6A5E717C5920D4362D60" = Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (01/14/2010 8.6.0.13)

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"AIM_7" = AIM 7

"Android SDK Install v.30" = Android SDK Install v.30

"Cisco Connect" = Cisco Connect

"CNXT_AUDIO_HDA" = Conexant 20561 SmartAudio HD

"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09

"CutePDF Writer Installation" = CutePDF Writer 2.8

"DAEMON Tools Lite" = DAEMON Tools Lite

"HPExtendedCapabilities" = HP Customer Participation Program 10.0

"InstallShield_{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer

"ITPM" = Intel® Trusted Platform Module

"Lenovo USB Port Replicator" = Lenovo USB Port Replicator

"LENOVO.SMIIF" = Lenovo System Interface Driver

"LenovoAutoScrollUtility" = Lenovo Auto Scroll Utility

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US)

"MozillaMaintenanceService" = Mozilla Maintenance Service

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"OnScreenDisplay" = On Screen Display

"Power Management Driver" = ThinkPad Power Management Driver

"ProInst" = Intel PROSet Wireless

"PROSet" = Intel® Network Connections Drivers

"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier

"Veetle TV" = Veetle TV 0.9.18

"VLC media player" = VLC media player 1.1.11

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"WinRAR archiver" = WinRAR archiver

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD\A5PASSMASTER.DB>

in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD\A6LECTURE.DB>

in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD\A6PASSMASTER.DB>

in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD\A6PASSMASTER.DB>

in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:

A

device attached to the system is not functioning. (0x8007001f)

Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD> in the

hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device

attached to the system is not functioning. (0x8007001f)

Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD> in the

hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device

attached to the system is not functioning. (0x8007001f)

Error - 4/9/2012 8:30:31 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013

Description = The entry <C:\DOCUMENTS AND SETTINGS\D\MY DOCUMENTS\TURBOTAX\2011

SUH D FORM 1040 INDIVIDUAL TAX RETURN.TAX2011> in the hash map cannot be updated.

Context:

Application, SystemIndex Catalog Details: A device attached to the system is not

functioning. (0x8007001f)

Error - 4/10/2012 1:48:38 AM | Computer Name = SUH-FF2C23D2798 | Source = Application Error | ID = 1000

Description = Faulting application pockettanks.exe, version 1.3.0.4, faulting module

bass.dll, version 2.3.0.3, fault address 0x0001acb1.

Error - 4/10/2012 10:48:33 AM | Computer Name = SUH-FF2C23D2798 | Source = MsiInstaller | ID = 10005

Description = Product: Lenovo USB Port Replicator with Digital Video -- Last installation

need to reboot OS.

Error - 4/11/2012 3:07:30 PM | Computer Name = SUH-FF2C23D2798 | Source = Application Error | ID = 1000

Description = Faulting application , version 0.0.0.0, faulting module FpWinLogonNp.dll,

version 3.3.2.27, fault address 0x000038c0.

[ System Events ]

Error - 7/22/2012 9:07:39 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7001

Description = The TCP/IP NetBIOS Helper service depends on the AFD service which

failed to start because of the following error: %%31

Error - 7/22/2012 9:07:39 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7001

Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver

service which failed to start because of the following error: %%31

Error - 7/22/2012 9:07:39 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7001

Description = The IPSEC Services service depends on the IPSEC driver service which

failed to start because of the following error: %%31

Error - 7/22/2012 9:07:39 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

AFD dqbridge ehdrv epfwtdir Fips intelppm IPSec lenovo.smi MRxSmb NetBIOS NetBT RasAcd Rdbss

Tcpip

TPHKDRV

TPPWRIF

WS2IFSL

Error - 7/22/2012 9:19:22 PM | Computer Name = BCS-FF2C23D2798 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/22/2012 9:24:28 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7024

Description = The Windows Search service terminated with service-specific error

2147749155 (0x80040D23).

Error - 7/22/2012 9:24:30 PM | Computer Name = BCS-FF2C23D2798 | Source = DCOM | ID = 10005

Description = DCOM got error "%1053" attempting to start the service WSearch with

arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error - 7/22/2012 9:24:30 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7009

Description = Timeout (30000 milliseconds) waiting for the Windows Search service

to connect.

Error - 7/22/2012 9:24:30 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7000

Description = The Windows Search service failed to start due to the following error:

%%1053

Error - 7/23/2012 6:12:00 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7034

Description = The Java Quick Starter service terminated unexpectedly. It has done

this 1 time(s).

< End of report >

Link to post
Share on other sites

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0
    [2010/10/03 14:05:11 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\vshare@toolbar
    [2012/07/15 04:02:24 | 000,000,804 | ---- | C] () -- C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L\00000004.@
    [2008/04/14 06:41:26 | 000,002,048 | ---- | C] () -- C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@
    [2008/04/14 06:41:26 | 000,002,048 | ---- | C] () -- C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@

    :files
    C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}
    C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}
    ipconfig /flushdns /c

    :Commands
    [emptytemp]
    [clearallrestorepoints]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Please post the OTL fix log in your next reply.

Note: A copy of an OTL fix log is saved in a text file at C:\_OTL\MovedFiles

Link to post
Share on other sites

Maniac, I am posting this from another computer because the computer I was working on has froze. I copied/pasted your exact instructions about 20 minutes ago and when I clicked "Run Fix" it said "Killing processes. DO NOT INTERRUPT"

I realized the computer was frozen when I saw the time in the lower right corner of the taskbar had not changed even though 20-25 minutes have now passed since I clicked the "Run Fix" button.

Should I continue to let it run? Should I force shutdown and try again? Other options?

Link to post
Share on other sites

Tried to boot into Safe Mode. Selected the normal "Safe Mode" option (not "with Networking" or "with Command Prompt"). Then I had 3 options: 1) Microsoft Recovery Console 2) Debugger (which said "do not select this") and 3) Microsoft Windows XP.

Selected XP like I normally do when I boot into Safe Mode. However, this time, while the drivers/files were loading, the computer received the BSOD and restarted. I tried it again and it BSOD again.

Link to post
Share on other sites

Update: After the 2nd fail Safe Mode attempt, I decided to try to run the OTL custom fix provided. I think it was successful and came up with this Log file once I rebooted.

All processes killed

========== OTL ==========

Prefs.js: vshare@toolbar:1.0.0 removed from extensions.enabledItems

C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\vshare@toolbar\META-INF folder moved successfully.

C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\vshare@toolbar\chrome folder moved successfully.

C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\vshare@toolbar folder moved successfully.

C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L\00000004.@ moved successfully.

C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ moved successfully.

C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ moved successfully.

========== FILES ==========

C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\U folder moved successfully.

C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L folder moved successfully.

C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4} folder moved successfully.

C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\U folder moved successfully.

C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L folder moved successfully.

C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4} folder moved successfully.

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\d\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\d\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: d

->Temp folder emptied: 62119375 bytes

->Temporary Internet Files folder emptied: 68427733 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 85329669 bytes

->Flash cache emptied: 266024 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 7716998 bytes

->Flash cache emptied: 11031 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 17834 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 4577656 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 4579 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 33978788 bytes

Total Files Cleaned = 250.00 mb

Restore point Set: OTL Restore Point

Link to post
Share on other sites

When I went to the "_OTL/MovedFiles" log I found some additional lines at the end after "Restore Point Set":

OTL by OldTimer - Version 3.2.54.1 log created on 07242012_190646

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Link to post
Share on other sites

One last note: I ran Kaspersky Virus Removal Tool to see if that would catch anything and the only time it "detected" anything were those objects already quarantined by TDSSKiller that were in a "TDSSKiller_Quarantine" folder. Is it safe for me to delete those files in the "TDSSKiller_Quarantine" folder?

Link to post
Share on other sites

Ran one final scan with ESET and it came up with the following:

C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » a/ppbwjge.class - a variant of Java/Exploit.Agent.NCW trojan

C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » a/cukg.class - a variant of Java/Exploit.Agent.NCW trojan

C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » a/bqwyewbkt.class - a variant of Java/Exploit.Agent.NCW trojan

C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » vjlkintv - a variant of Win32/Kryptik.AIVI trojan

I'd appreciate any advice. Thanks.

Link to post
Share on other sites

Ran one final scan with ESET and it came up with the following:

C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » a/ppbwjge.class - a variant of Java/Exploit.Agent.NCW trojan

C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » a/cukg.class - a variant of Java/Exploit.Agent.NCW trojan

C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » a/bqwyewbkt.class - a variant of Java/Exploit.Agent.NCW trojan

C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » vjlkintv - a variant of Win32/Kryptik.AIVI trojan

I'd appreciate any advice. Thanks.

Remove them.

One last note: I ran Kaspersky Virus Removal Tool to see if that would catch anything and the only time it "detected" anything were those objects already quarantined by TDSSKiller that were in a "TDSSKiller_Quarantine" folder. Is it safe for me to delete those files in the "TDSSKiller_Quarantine" folder?

Run OTL and click on CleanUp button.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.