Jump to content

I can't get rid of Rootkit.TDSS. Please help.


eye4fx

Recommended Posts

Malwarebytes has found the trojan Rootkit.TDSS in C:\Windows\System32\tdlcmd.dll. I select the 'Remove Selected' button, it reboots and when I scan the system again, it's there like before.

Things I've tried: Booting into SafeMode and running Malwarebytes. No luck.

Disabling and eventually removing 'SpyBot Search and Destroy' from my PC. No luck.

I am posting my Malwarebytes LOG and HijackThis LOG below.

Please help. Thank you.

<--------- START of HijackThis LOG ----------------------------->

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:21:35 PM, on 11/25/2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18828)

Boot mode: Normal

Running processes:

C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\DU Meter\DUMeter.exe

C:\Windows\WindowsMobile\wmdc.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\sttray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\ehome\ehmsas.exe

C:\Users\dchin\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\IPSBHO.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: (no name) - {9b8c7915-ac4a-4a97-8b16-d07d3803a826} - zofowoda.dll (file missing)

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe

O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [Google Update] "C:\Users\dchin\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: UltraMon.lnk = ?

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O21 - SSODL: zovahigut - {36066187-7448-4e42-b2da-e7fc422f9c5c} - c:\windows\system32\modubelo.dll (file missing)

O22 - SharedTaskScheduler: jugezatag - {36066187-7448-4e42-b2da-e7fc422f9c5c} - c:\windows\system32\modubelo.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe

O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 12098 bytes

<------- Start of Malwarebytes LOG ---------------------->

Malwarebytes' Anti-Malware 1.41

Database version: 3235

Windows 6.0.6002 Service Pack 2

11/25/2009 7:34:28 PM

mbam-log-2009-11-25 (19-34-10).txt

Scan type: Quick Scan

Objects scanned: 109294

Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\tdlcmd.dll (Rootkit.TDSS) -> No action taken.

Link to post
Share on other sites

Hello Eve4fx and welcome.

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not Eve4fx and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along.

Please start with the following:

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 3

Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

Step 4

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Step 5

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O2 - BHO: (no name) - {9b8c7915-ac4a-4a97-8b16-d07d3803a826} - zofowoda.dll (file missing)

O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')

O21 - SSODL: zovahigut - {36066187-7448-4e42-b2da-e7fc422f9c5c} - c:\windows\system32\modubelo.dll (file missing)

O22 - SharedTaskScheduler: jugezatag - {36066187-7448-4e42-b2da-e7fc422f9c5c} - c:\windows\system32\modubelo.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Step 6

Next, Download and SAVE this file -- to your Desktop -- (Do NOT run the file straight away from download) from any one of these sources:

Link 1

Link 2

Link 3

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:

KILLALL::

Driver::
ter8m

File::
C:\Windows\TEMP\msxm192z.dll
C:\Windows\System32\zofowoda.dll
c:\windows\system32\modubelo.dll

Folder::
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

CFScript.gif

  • icon_exclaim.gif Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once icon_exclaim.gif

Step 7

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 8

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Reply with copy of C:\Combofix.txt

MBAM scan log

Checkup.txt

Link to post
Share on other sites

I encountered an issue. <_<

I completed these steps...

1. Downloaded and Installed ERUNT.

2. Set folders and files to show.

3. Downloaded, installed and ran ATF.

4. Downloaded, installed and ran FixPolicies

5. Ran HijackThis and removed the instructed files.

6. Downloaded Combofix. Copied CODE and dragged file to exe.

PROBLEM - It completed a few stages and then Windows just SUDDENLY SHUTDOWN COLD TURKEY w/o warning.

Note: I uninstalled Combofix using the ComboFix /Uninstall command. THEN, I did the whole thing over from Step 1 and it happened again....SHUTDOWN at Stage 5.

Please help. Thanks.

Link to post
Share on other sites

......

Note: I uninstalled Combofix using the ComboFix /Uninstall command. THEN, I did the whole thing over from Step 1 and it happened again....SHUTDOWN at Stage 5.

Please help. Thanks.

Never ever run Combofix more than once without guidance. Never Un-install Combofix without guidance !

If you ever have an issue, check here first and ask, and wait for guidance & reply.

Reboot the system. As soon as system starts up (before the Windows GUI even starts) Tap & Re-tap F8 Function key.

Once you have Advanced Bootup Options menu, select either Safe Mode with Networking or Safe Mode.

If you manage to get into either, do not do anything unless I give guidance.

I only need for you to start Hijackthis. Do a Scan and Save.

Then post back a copy of that log.

Link to post
Share on other sites

Btw, I am able to start Windows normally, so F8ing to Safe Mode was not necessary.

However, if you require me to boot into SafeMode for the next step, let me know.

Anyway, I started HiJackThis in Normal Windows mode and captured the log below.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:18:33 PM, on 12/2/2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18828)

Boot mode: Normal

Running processes:

C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\DU Meter\DUMeter.exe

C:\Windows\WindowsMobile\wmdc.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\sttray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Users\dchin\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

C:\Program Files\UltraMon\UltraMon.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\UltraMon\UltraMonTaskbar.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\IPSBHO.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup

O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe

O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [Google Update] "C:\Users\dchin\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: UltraMon.lnk = ?

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe

O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe

O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe

O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 11645 bytes

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not eye4fx and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Temporarily disable the Norton Antivirus while you do these next tasks. (Re-enable after all this is finished.)

Do NOT disable your firewall.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Step 1

Download OTL by OldTimer and SAVE to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • As this is on VISTA, RIGHT-click OTL.exe otlDesktopIcon.png and choose Run As Administrator to run it.
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :files
    C:\Windows\System32\tdlcmd.dll
    C:\Windows\TEMP\msxm192z.dll
    C:\Windows\System32\zofowoda.dll
    c:\windows\system32\modubelo.dll
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :Commands
    [purity]
    [emptytemp]
    [reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 2

Next, Download RootRepeal from one of these links:

>> Link 1<<

or >>Link 2<<

or >>Link 3<<

  • SAVE the zip download to your Desktop.
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

Step 3

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 4

Reply with copy of the OTL MovedFiles log

Rootrepeal log,

and the latest MBAM scan log

Link to post
Share on other sites

So, things got worse.

I started following your latest steps and here's what happened.

1. I closed all programs.

2. Temporarily turned OFF my Norton Antivirus. Left firewall ON.

3. Ran OTL.exe as Admin.

4. Cut and paste the CODE into the "Custom Scans/Fixes" text box. Clicked Run Fix.

5. It did it's thing and said it needed to REBOOT the system. I choose Yes.

6. Windows restarted, however, I was now prompted with "Launch Startup Repair" or Restart Windows Normally.

7. I ran the repair and when it finished it could not find/repair anything. So, it tried to boot again and I was back to #6 above.

8. No matter if I choose Restart Normally it would still not boot into windows returning me to the Launch Startup Repair screen.

9. So, in the end, I was able to choose a System Restore point (from 3 days ago) from an advanced menu and FINALLY boot into Windows normally. Yay!

But now, we are back to where we started.

I will await your instructions. By the way, thanks for your help Maurice, I appreciate your time.

Damon

Link to post
Share on other sites

Damon,

Set Vista system to show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Next,

Download this file & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller:

----

Start NOTEPAD and copy/paste the text in the quotebox below into it:

@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0

Save this as fix.bat Choose to "Save type as - All Files"

It should look like this: batchfileimage.jpg

Double click on fix.bat & allow it to run.

Next

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of Logit.txt
  • OTL.txt
  • Extras.txt
  • checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

Okay. I was able to get through these latest steps mostly without a hitch.

Note: I did have to, however, disable my Norton Antivirus in order to run the SecurityCheck app. Because Norton kept auto removing it claiming it was too new of a file that few users in the Norton community have run.

Anyway, here are the logs you requested...

Logit.txt

Host Name: DCHIN

OS Name: Microsoftr Windows VistaT Home Premium

OS Version: 6.0.6002 Service Pack 2 Build 6002

OS Manufacturer: Microsoft Corporation

OS Configuration: Standalone Workstation

OS Build Type: Multiprocessor Free

Registered Owner: dchin

Registered Organization:

Product ID: 89578-OEM-7332157-00204

Original Install Date: 3/2/2007, 12:02:56 AM

System Boot Time: 12/4/2009, 10:03:28 PM

System Manufacturer: Dell Inc.

System Model: Dell DXP061

System Type: X86-based PC

Processor(s): 1 Processor(s) Installed.

[01]: x64 Family 6 Model 15 Stepping 6 GenuineIntel ~2394 Mhz

BIOS Version: Dell Inc. 2.4.2 , 3/30/2007

Windows Directory: C:\Windows

System Directory: C:\Windows\system32

Boot Device: \Device\HarddiskVolume3

System Locale: en-us;English (United States)

Input Locale: en-us;English (United States)

Time Zone: (GMT-08:00) Pacific Time (US & Canada)

Total Physical Memory: 3,069 MB

Available Physical Memory: 1,902 MB

Page File: Max Size: 6,341 MB

Page File: Available: 5,247 MB

Page File: In Use: 1,094 MB

Page File Location(s): C:\pagefile.sys

Domain: HOME

Logon Server: \\DCHIN

Hotfix(s): 195 Hotfix(s) Installed.

[01]: {24493C06-1950-4061-A36D-96D6C22799C0} - Microsoft Works 8.0 installation.

[02]: KB937286

[03]: KB971513

[04]: KB971512

[05]: 944036

[06]: KB960362

[07]: KB971514

[08]: KB925902

[09]: KB927084

[10]: KB928135

[11]: KB928190

[12]: KB928253

[13]: KB929011

[14]: KB929399

[15]: KB929547

[16]: KB929577

[17]: KB929685

[18]: KB929735

[19]: KB929777

[20]: KB929913

[21]: KB930178

[22]: KB930857

[23]: KB931099

[24]: KB931573

[25]: KB931621

[26]: KB932471

[27]: KB932818

[28]: KB933579

[29]: KB933729

[30]: KB935652

[31]: KB936021

[32]: KB936357

[33]: KB936782

[34]: KB936825

[35]: KB937077

[36]: KB938127

[37]: KB939159

[38]: KB941202

[39]: KB941229

[40]: KB941568

[41]: KB941569

[42]: KB941644

[43]: KB943055

[44]: KB943078

[45]: KB945553

[46]: KB946026

[47]: KB946456

[48]: KB947172

[49]: KB905866

[50]: KB928089

[51]: KB929123

[52]: KB929427

[53]: KB929916

[54]: KB931213

[55]: KB931768

[56]: KB931836

[57]: KB932246

[58]: KB933360

[59]: KB933566

[60]: KB933928

[61]: KB935280

[62]: KB935807

[63]: KB936824

[64]: KB937143

[65]: KB937287

[66]: KB938123

[67]: KB938194

[68]: KB938371

[69]: KB938464

[70]: KB938979

[71]: KB939653

[72]: KB941649

[73]: KB941651

[74]: KB941693

[75]: KB942615

[76]: KB942624

[77]: KB942763

[78]: KB943302

[79]: KB943411

[80]: KB943899

[81]: KB944533

[82]: KB946041

[83]: KB947562

[84]: KB947864

[85]: KB948590

[86]: KB948609

[87]: KB948610

[88]: KB948881

[89]: KB950124

[90]: KB950125

[91]: KB950126

[92]: KB950582

[93]: KB950759

[94]: KB950760

[95]: KB950762

[96]: KB950974

[97]: KB951066

[98]: KB951072

[99]: KB951376

[100]: KB951618

[101]: KB951698

[102]: KB951978

[103]: KB952004

[104]: KB952069

[105]: KB952287

[106]: KB952709

[107]: KB953155

[108]: KB953733

[109]: KB953838

[110]: KB953839

[111]: KB954154

[112]: KB954155

[113]: KB954211

[114]: KB954366

[115]: KB954459

[116]: KB955020

[117]: KB955069

[118]: KB955302

[119]: KB955430

[120]: KB955519

[121]: KB955839

[122]: KB956390

[123]: KB956391

[124]: KB956572

[125]: KB956744

[126]: KB956802

[127]: KB956841

[128]: KB957095

[129]: KB957097

[130]: KB957200

[131]: KB957321

[132]: KB957388

[133]: KB958215

[134]: KB958481

[135]: KB958483

[136]: KB958623

[137]: KB958624

[138]: KB958644

[139]: KB958687

[140]: KB958690

[141]: KB959108

[142]: KB959130

[143]: KB959426

[144]: KB959772

[145]: KB960225

[146]: KB960544

[147]: KB960714

[148]: KB960715

[149]: KB960803

[150]: KB961260

[151]: KB961371

[152]: KB961501

[153]: KB963027

[154]: KB967632

[155]: KB967723

[156]: KB968389

[157]: KB968537

[158]: KB968816

[159]: KB969497

[160]: KB969897

[161]: KB969898

[162]: KB969947

[163]: KB970238

[164]: KB970653

[165]: KB970710

[166]: KB971180

[167]: KB971486

[168]: KB971557

[169]: KB971657

[170]: KB971930

[171]: KB971961

[172]: KB972036

[173]: KB972145

[174]: KB972260

[175]: KB972636

[176]: KB973346

[177]: KB973507

[178]: KB973525

[179]: KB973540

[180]: KB973565

[181]: KB973687

[182]: KB973768

[183]: KB973874

[184]: KB974306

[185]: KB974455

[186]: KB974470

[187]: KB974571

[188]: KB975364

[189]: KB975467

[190]: KB975517

[191]: KB976098

[192]: KB976470

[193]: KB976749

[194]: KB948465

[195]: 940157

Network Card(s): 1 NIC(s) Installed.

[01]: Intel® 82566DC Gigabit Network Connection

Connection Name: Local Area Connection

DHCP Enabled: Yes

DHCP Server: 192.168.1.1

IP address(es)

[01]: 192.168.1.102

22:25:6:524 5012 ForceUnloadDriver: NtUnloadDriver error 2

22:25:6:524 5012 ForceUnloadDriver: NtUnloadDriver error 2

22:25:6:524 5012 ForceUnloadDriver: NtUnloadDriver error 2

22:25:6:540 5012 main: Driver KLMD successfully dropped

22:25:39:191 5012 main: Driver KLMD successfully loaded

22:25:39:191 5012

Scanning Registry ...

22:25:39:191 5012 ScanServices: Searching service UACd.sys

22:25:39:191 5012 ScanServices: Open/Create key error 2

22:25:39:191 5012 ScanServices: Searching service TDSSserv.sys

22:25:39:191 5012 ScanServices: Open/Create key error 2

22:25:39:191 5012 ScanServices: Searching service gaopdxserv.sys

22:25:39:191 5012 ScanServices: Open/Create key error 2

22:25:39:191 5012 ScanServices: Searching service gxvxcserv.sys

22:25:39:191 5012 ScanServices: Open/Create key error 2

22:25:39:191 5012 ScanServices: Searching service MSIVXserv.sys

22:25:39:191 5012 ScanServices: Open/Create key error 2

22:25:39:191 5012 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntkrnlpa.exe, base addr: 8241E000

22:25:39:191 5012 UnhookRegistry: Kernel local addr: 1A50000

22:25:39:191 5012 UnhookRegistry: KeServiceDescriptorTable addr: 1B87B00

22:25:39:191 5012 UnhookRegistry: KiServiceTable addr: 1AFC82C

22:25:39:191 5012 UnhookRegistry: NtEnumerateKey service number (local): 85

22:25:39:191 5012 UnhookRegistry: NtEnumerateKey local addr: 1C4D0BA

22:25:39:191 5012 KLMD_OpenDevice: Trying to open KLMD device

22:25:39:191 5012 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey

22:25:39:191 5012 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey

22:25:39:191 5012 KLMD_ReadMem: Trying to ReadMemory 0x82466D19[0x4]

22:25:39:191 5012 UnhookRegistry: NtEnumerateKey service number (kernel): 85

22:25:39:191 5012 KLMD_ReadMem: Trying to ReadMemory 0x824CAA40[0x4]

22:25:39:191 5012 UnhookRegistry: NtEnumerateKey real addr: 8261B0BA

22:25:39:191 5012 UnhookRegistry: NtEnumerateKey calc addr: 8261B0BA

22:25:39:191 5012 UnhookRegistry: No SDT hooks found on NtEnumerateKey

22:25:39:191 5012 KLMD_ReadMem: Trying to ReadMemory 0x8261B0BA[0xA]

22:25:39:191 5012 UnhookRegistry: No splicing found on NtEnumerateKey

22:25:39:206 5012

Scanning Kernel memory ...

22:25:39:206 5012 KLMD_OpenDevice: Trying to open KLMD device

22:25:39:206 5012 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk

22:25:39:206 5012 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

22:25:39:206 5012 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 867DC828

22:25:39:206 5012 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects

22:25:39:206 5012 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 85C667E0

22:25:39:206 5012 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85C667E0

22:25:39:206 5012 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 85C62418

22:25:39:206 5012 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85C62418

22:25:39:206 5012 KLMD_ReadMem: Trying to ReadMemory 0x85C62418[0x38]

22:25:39:206 5012 DetectCureTDL3: DRIVER_OBJECT addr: 880D62C0

22:25:39:206 5012 KLMD_ReadMem: Trying to ReadMemory 0x880D62C0[0xA8]

22:25:39:206 5012 KLMD_ReadMem: Trying to ReadMemory 0x88028CB8[0x208]

22:25:39:206 5012 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR

22:25:39:206 5012 DetectCureTDL3: IrpHandler (0) addr: 8FFDEFC8

22:25:39:206 5012 DetectCureTDL3: IrpHandler (1) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (2) addr: 8FFDF040

22:25:39:206 5012 DetectCureTDL3: IrpHandler (3) addr: 8FFDF0B8

22:25:39:206 5012 DetectCureTDL3: IrpHandler (4) addr: 8FFDF0B8

22:25:39:206 5012 DetectCureTDL3: IrpHandler (5) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (6) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (7) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (8) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (9) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (10) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (11) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (12) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (13) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (14) addr: 8FFDEBC4

22:25:39:206 5012 DetectCureTDL3: IrpHandler (15) addr: 8FFD27E4

22:25:39:206 5012 DetectCureTDL3: IrpHandler (16) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (17) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (18) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (19) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (20) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (21) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (22) addr: 8FFDD59C

22:25:39:206 5012 DetectCureTDL3: IrpHandler (23) addr: 8FFDA7A2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (24) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (25) addr: 824469D2

22:25:39:206 5012 DetectCureTDL3: IrpHandler (26) addr: 824469D2

22:25:39:206 5012 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys

22:25:39:206 5012 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys

22:25:39:222 5012 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 880B5AC8

22:25:39:222 5012 KLMD_GetLowerDeviceObject: Trying to get lower device object for 880B5AC8

22:25:39:222 5012 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 88032C80

22:25:39:222 5012 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88032C80

22:25:39:222 5012 KLMD_ReadMem: Trying to ReadMemory 0x88032C80[0x38]

22:25:39:222 5012 DetectCureTDL3: DRIVER_OBJECT addr: 880D62C0

22:25:39:222 5012 KLMD_ReadMem: Trying to ReadMemory 0x880D62C0[0xA8]

22:25:39:222 5012 KLMD_ReadMem: Trying to ReadMemory 0x88028CB8[0x208]

22:25:39:222 5012 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR

22:25:39:222 5012 DetectCureTDL3: IrpHandler (0) addr: 8FFDEFC8

22:25:39:222 5012 DetectCureTDL3: IrpHandler (1) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (2) addr: 8FFDF040

22:25:39:222 5012 DetectCureTDL3: IrpHandler (3) addr: 8FFDF0B8

22:25:39:222 5012 DetectCureTDL3: IrpHandler (4) addr: 8FFDF0B8

22:25:39:222 5012 DetectCureTDL3: IrpHandler (5) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (6) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (7) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (8) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (9) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (10) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (11) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (12) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (13) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (14) addr: 8FFDEBC4

22:25:39:222 5012 DetectCureTDL3: IrpHandler (15) addr: 8FFD27E4

22:25:39:222 5012 DetectCureTDL3: IrpHandler (16) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (17) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (18) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (19) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (20) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (21) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (22) addr: 8FFDD59C

22:25:39:222 5012 DetectCureTDL3: IrpHandler (23) addr: 8FFDA7A2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (24) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (25) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (26) addr: 824469D2

22:25:39:222 5012 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys

22:25:39:222 5012 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys

22:25:39:222 5012 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 880D7AC8

22:25:39:222 5012 KLMD_GetLowerDeviceObject: Trying to get lower device object for 880D7AC8

22:25:39:222 5012 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 880BE9A0

22:25:39:222 5012 KLMD_GetLowerDeviceObject: Trying to get lower device object for 880BE9A0

22:25:39:222 5012 KLMD_ReadMem: Trying to ReadMemory 0x880BE9A0[0x38]

22:25:39:222 5012 DetectCureTDL3: DRIVER_OBJECT addr: 880D62C0

22:25:39:222 5012 KLMD_ReadMem: Trying to ReadMemory 0x880D62C0[0xA8]

22:25:39:222 5012 KLMD_ReadMem: Trying to ReadMemory 0x88028CB8[0x208]

22:25:39:222 5012 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR

22:25:39:222 5012 DetectCureTDL3: IrpHandler (0) addr: 8FFDEFC8

22:25:39:222 5012 DetectCureTDL3: IrpHandler (1) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (2) addr: 8FFDF040

22:25:39:222 5012 DetectCureTDL3: IrpHandler (3) addr: 8FFDF0B8

22:25:39:222 5012 DetectCureTDL3: IrpHandler (4) addr: 8FFDF0B8

22:25:39:222 5012 DetectCureTDL3: IrpHandler (5) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (6) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (7) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (8) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (9) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (10) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (11) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (12) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (13) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (14) addr: 8FFDEBC4

22:25:39:222 5012 DetectCureTDL3: IrpHandler (15) addr: 8FFD27E4

22:25:39:222 5012 DetectCureTDL3: IrpHandler (16) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (17) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (18) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (19) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (20) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (21) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (22) addr: 8FFDD59C

22:25:39:222 5012 DetectCureTDL3: IrpHandler (23) addr: 8FFDA7A2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (24) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (25) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (26) addr: 824469D2

22:25:39:222 5012 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\USBSTOR.sys

22:25:39:222 5012 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\USBSTOR.sys

22:25:39:222 5012 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 866AFAC8

22:25:39:222 5012 KLMD_GetLowerDeviceObject: Trying to get lower device object for 866AFAC8

22:25:39:222 5012 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 86229030

22:25:39:222 5012 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86229030

22:25:39:222 5012 KLMD_ReadMem: Trying to ReadMemory 0x86229030[0x38]

22:25:39:222 5012 DetectCureTDL3: DRIVER_OBJECT addr: 85CF9C50

22:25:39:222 5012 KLMD_ReadMem: Trying to ReadMemory 0x85CF9C50[0xA8]

22:25:39:222 5012 KLMD_ReadMem: Trying to ReadMemory 0x8537E378[0x208]

22:25:39:222 5012 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor

22:25:39:222 5012 DetectCureTDL3: IrpHandler (0) addr: 82A100B8

22:25:39:222 5012 DetectCureTDL3: IrpHandler (1) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (2) addr: 82A100B8

22:25:39:222 5012 DetectCureTDL3: IrpHandler (3) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (4) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (5) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (6) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (7) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (8) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (9) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (10) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (11) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (12) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (13) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (14) addr: 82A13EBC

22:25:39:222 5012 DetectCureTDL3: IrpHandler (15) addr: 82A14184

22:25:39:222 5012 DetectCureTDL3: IrpHandler (16) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (17) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (18) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (19) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (20) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (21) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (22) addr: 82A18B62

22:25:39:222 5012 DetectCureTDL3: IrpHandler (23) addr: 82A18CC2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (24) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (25) addr: 824469D2

22:25:39:222 5012 DetectCureTDL3: IrpHandler (26) addr: 824469D2

22:25:39:222 5012 TDL3_FileDetect: Processing driver file: C:\Windows\system32\Drivers\iaStor.sys

22:25:39:222 5012 KLMD_CreateFileW: Trying to open file C:\Windows\system32\Drivers\iaStor.sys

22:25:39:253 5012

Completed

Results:

22:25:39:253 5012 Infected / Cured drivers in memory: 0 / 0

22:25:39:253 5012 Infected / Cured drivers on disk: 0 / 0

22:25:39:253 5012 Files deleted on next reboot: 0

22:25:39:253 5012 Registry nodes deleted on next reboot: 0

22:25:39:253 5012

End of Logit.txt

Link to post
Share on other sites

OTL.txt

OTL logfile created on: 12/4/2009 10:28:57 PM - Run 1

OTL by OldTimer - Version 3.1.11.6 Folder = C:\Users\dchin\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18828)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.82 Gb Available Physical Memory | 91.06% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 455.72 Gb Total Space | 94.26 Gb Free Space | 20.68% Space Free | Partition Type: NTFS

Drive D: | 10.00 Gb Total Space | 5.85 Gb Free Space | 58.52% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DCHIN

Current User Name: dchin

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/04 22:20:08 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Users\dchin\Desktop\OTL.exe

PRC - [2009/11/26 22:08:04 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe

PRC - [2009/11/02 20:47:26 | 00,135,664 | ---- | M] (Google Inc.) -- C:\Users\dchin\AppData\Local\Google\Update\GoogleUpdate.exe

PRC - [2009/10/19 22:34:55 | 00,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe

PRC - [2009/06/05 12:39:22 | 00,292,136 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe

PRC - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe

PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2009/04/10 22:28:08 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe

PRC - [2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe

PRC - [2008/10/25 10:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

PRC - [2008/10/07 12:33:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe

PRC - [2008/06/11 22:43:26 | 00,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

PRC - [2008/05/02 01:44:08 | 00,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe

PRC - [2008/05/02 01:40:56 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

PRC - [2008/01/18 23:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe

PRC - [2008/01/18 23:33:15 | 00,095,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mobsync.exe

PRC - [2008/01/15 01:42:02 | 00,694,040 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\UltraMon.exe

PRC - [2008/01/14 18:24:46 | 00,283,136 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\UltraMonTaskbar.exe

PRC - [2007/05/31 09:21:28 | 00,648,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdc.exe

PRC - [2006/12/07 08:28:42 | 00,629,248 | ---- | M] (Hagel Technologies Ltd) -- C:\Program Files\DU Meter\DUMeter.exe

PRC - [2006/11/22 14:56:00 | 00,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\sttray.exe

PRC - [2006/11/18 05:01:42 | 00,182,744 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

PRC - [2006/11/18 05:01:32 | 00,272,856 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

PRC - [2006/11/18 05:01:26 | 00,195,032 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

PRC - [2006/11/05 09:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

PRC - [2006/10/29 07:03:30 | 00,208,896 | ---- | M] () -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

PRC - [2006/09/29 10:39:20 | 00,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

PRC - [2006/09/29 10:38:50 | 00,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

PRC - [2006/09/26 08:56:00 | 00,423,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

PRC - [2006/08/04 16:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe

========== Modules (SafeList) ==========

MOD - [2009/12/04 22:20:08 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Users\dchin\Desktop\OTL.exe

MOD - [2009/04/10 22:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll

MOD - [2009/03/29 20:42:16 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4016_none_d0893820442e7fe

4\msvcr80.dll

MOD - [2008/05/02 01:42:50 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll

MOD - [2008/05/02 01:38:54 | 00,064,016 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\GameHook.dll

MOD - [2008/01/14 18:24:48 | 00,057,856 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\RTSUltraMonHook.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/10/19 22:34:55 | 00,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe -- (NAV)

SRV - [2009/09/24 17:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)

SRV - [2009/07/24 23:42:17 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)

SRV - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/04/09 21:19:24 | 00,316,664 | ---- | M] (Valve Corporation) -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2009/01/29 20:09:54 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

SRV - [2008/11/04 10:48:10 | 00,288,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)

SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)

SRV - [2008/10/25 10:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)

SRV - [2008/10/07 12:33:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc)

SRV - [2008/05/02 01:42:06 | 00,121,360 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)

SRV - [2008/01/18 23:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2007/05/31 09:21:24 | 00,379,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)

SRV - [2007/05/31 09:21:18 | 00,183,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)

SRV - [2007/03/09 22:39:39 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)

SRV - [2006/11/18 05:01:26 | 00,195,032 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe -- (AlertService) Intel®

SRV - [2006/11/18 05:00:48 | 00,550,872 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe -- (Remote UI Service) Intel®

SRV - [2006/11/18 05:00:06 | 00,174,552 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe -- (MCLServiceATL) Intel®

SRV - [2006/11/18 04:59:38 | 00,081,880 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe -- (ISSM) Intel®

SRV - [2006/11/18 04:59:02 | 00,032,216 | ---- | M] () -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe -- (M1 Server) Intel® Viiv

SRV - [2006/11/05 09:15:12 | 00,880,640 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)

SRV - [2006/11/05 09:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)

SRV - [2006/11/02 04:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)

SRV - [2006/10/29 07:03:30 | 00,208,896 | ---- | M] () -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe -- (DQLWinService)

SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

SRV - [2006/09/29 10:38:50 | 00,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®

SRV - [2006/09/14 12:54:34 | 00,073,728 | ---- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)

SRV - [2006/08/04 16:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)

SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)

========== Driver Services (SafeList) ==========

DRV - [2009/12/04 01:11:41 | 01,323,568 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091204.037\NAVEX15.SYS -- (NAVEX15)

DRV - [2009/12/04 01:11:41 | 00,084,912 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091204.037\NAVENG.SYS -- (NAVENG)

DRV - [2009/11/12 21:58:19 | 00,124,976 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2009/11/12 01:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2009/11/12 01:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2009/11/05 14:06:13 | 00,328,752 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\drivers\NAV\1101000.013\SYMDS.SYS -- (SymDS)

DRV - [2009/11/04 15:50:04 | 00,524,848 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20091104.001\BHDrvx86.sys -- (BHDrvx86)

DRV - [2009/10/28 14:37:22 | 00,343,088 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSvix86.sys -- (IDSVix86)

DRV - [2009/10/19 22:35:50 | 00,501,888 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\drivers\NAV\1101000.013\ccHPx86.sys -- (ccHP)

DRV - [2009/10/14 17:50:48 | 00,339,504 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\NAV\1101000.013\SYMTDIV.SYS -- (SYMTDIv)

DRV - [2009/10/10 15:51:23 | 00,044,080 | R--- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SymIMV.sys -- (SymIM)

DRV - [2009/10/08 18:55:01 | 00,171,056 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\drivers\NAV\1101000.013\SYMEFA.SYS -- (SymEFA)

DRV - [2009/10/08 18:54:25 | 00,114,736 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\NAV\1101000.013\Ironx86.SYS -- (SymIRON)

DRV - [2009/10/08 18:54:10 | 00,325,168 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\NAV\1101000.013\SRTSP.SYS -- (SRTSP)

DRV - [2009/10/08 18:54:10 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\drivers\NAV\1101000.013\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)

DRV - [2009/04/10 20:46:08 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\usb8023x.sys -- (usb_rndisx)

DRV - [2009/03/19 15:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV - [2008/10/07 12:33:00 | 07,380,896 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2008/02/29 02:13:46 | 00,028,944 | ---- | M] (Logitech, Inc.) -- C:\Windows\System32\drivers\LUsbFilt.sys -- (LUsbFilt)

DRV - [2008/02/29 02:13:24 | 00,036,880 | ---- | M] (Logitech, Inc.) -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)

DRV - [2008/02/29 02:13:16 | 00,035,344 | ---- | M] (Logitech, Inc.) -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)

DRV - [2008/02/06 03:00:00 | 00,044,608 | ---- | M] (Sonic Solutions) -- C:\Windows\System32\Drivers\PxHelp20.sys -- (PxHelp20)

DRV - [2008/01/18 21:53:31 | 00,045,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\61883.sys -- (61883)

DRV - [2008/01/18 21:53:31 | 00,040,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\avc.sys -- (Avc)

DRV - [2008/01/18 21:53:28 | 00,052,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msdv.sys -- (MSDV)

DRV - [2008/01/18 20:25:05 | 00,220,672 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®

DRV - [2007/11/16 09:30:32 | 00,026,912 | ---- | M] (RapidSolution Software AG) -- C:\Windows\System32\drivers\tbhsd.sys -- (tbhsd)

DRV - [2007/10/10 16:41:50 | 00,042,112 | ---- | M] (Motorola Inc) -- C:\Windows\System32\drivers\motodrv.sys -- (MotDev)

DRV - [2007/08/21 16:37:24 | 00,032,384 | ---- | M] (Service & Quality Technology.) -- C:\Windows\System32\drivers\Capt913D.sys -- (SQTECH913D)

DRV - [2007/03/02 07:58:53 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide)

DRV - [2007/03/02 07:58:53 | 00,016,488 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)

DRV - [2007/03/02 07:58:53 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide)

DRV - [2007/03/02 00:15:24 | 00,005,504 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\IntelDH.sys -- (IntelDH)

DRV - [2007/02/09 11:34:16 | 00,051,768 | ---- | M] (Roxio) -- C:\Windows\System32\drivers\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2007/02/08 19:05:30 | 00,028,120 | ---- | M] (Roxio) -- C:\Windows\System32\drivers\DLARTL_M.SYS -- (DLARTL_M)

DRV - [2007/02/08 19:05:30 | 00,012,856 | ---- | M] (Roxio) -- C:\Windows\System32\drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2006/11/22 14:56:52 | 00,647,680 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)

DRV - [2006/11/18 05:01:08 | 00,018,904 | ---- | M] () -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys -- (TSHWMDTCP)

DRV - [2006/11/02 01:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)

DRV - [2006/11/02 01:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)

DRV - [2006/11/02 01:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)

DRV - [2006/11/02 01:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)

DRV - [2006/11/02 01:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)

DRV - [2006/11/02 01:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)

DRV - [2006/11/02 01:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)

DRV - [2006/11/02 01:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)

DRV - [2006/11/02 01:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)

DRV - [2006/11/02 01:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)

DRV - [2006/11/02 01:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)

DRV - [2006/11/02 01:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)

DRV - [2006/11/02 01:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)

DRV - [2006/11/02 01:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)

DRV - [2006/11/02 01:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)

DRV - [2006/11/02 01:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)

DRV - [2006/11/02 01:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)

DRV - [2006/11/02 01:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)

DRV - [2006/11/02 01:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)

DRV - [2006/11/02 01:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)

DRV - [2006/11/02 01:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)

DRV - [2006/11/02 01:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)

DRV - [2006/11/02 01:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc)

DRV - [2006/11/02 01:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)

DRV - [2006/11/02 01:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)

DRV - [2006/11/02 01:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)

DRV - [2006/11/02 01:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)

DRV - [2006/11/02 01:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)

DRV - [2006/11/02 01:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)

DRV - [2006/11/02 01:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)

DRV - [2006/11/02 01:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)

DRV - [2006/11/02 01:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas)

DRV - [2006/11/02 00:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)

DRV - [2006/11/02 00:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)

DRV - [2006/11/02 00:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)

DRV - [2006/11/02 00:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)

DRV - [2006/11/02 00:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)

DRV - [2006/11/02 00:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)

DRV - [2006/11/01 23:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)

DRV - [2006/11/01 23:36:43 | 02,028,032 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)

DRV - [2006/11/01 23:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®

DRV - [2006/11/01 22:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)

DRV - [2006/10/26 15:22:02 | 00,009,400 | ---- | M] (Roxio) -- C:\Windows\System32\DLA\DLADResM.SYS -- (DLADResM)

DRV - [2006/10/26 15:21:34 | 00,094,648 | ---- | M] (Roxio) -- C:\Windows\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2006/10/26 15:21:34 | 00,035,096 | ---- | M] (Roxio) -- C:\Windows\System32\DLA\DLABMFSM.SYS -- (DLABMFSM)

DRV - [2006/10/26 15:21:32 | 00,097,848 | ---- | M] (Roxio) -- C:\Windows\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2006/10/26 15:21:30 | 00,026,296 | ---- | M] (Roxio) -- C:\Windows\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2006/10/26 15:21:28 | 00,032,472 | ---- | M] (Roxio) -- C:\Windows\System32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2006/10/26 15:21:26 | 00,014,520 | ---- | M] (Roxio) -- C:\Windows\System32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2006/10/26 15:21:24 | 00,104,536 | ---- | M] (Roxio) -- C:\Windows\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2006/10/19 13:49:48 | 00,007,424 | --S- | M] (Gteko Ltd.) -- C:\Windows\System32\drivers\nmsunidr.sys -- (nmsunidr)

DRV - [2006/10/18 10:09:26 | 00,986,624 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)

DRV - [2006/10/18 10:08:18 | 00,258,048 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)

DRV - [2006/10/18 10:08:04 | 00,659,968 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)

DRV - [2006/09/29 11:59:58 | 00,250,368 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)

DRV - [2006/09/27 14:37:24 | 00,028,672 | --S- | M] (Gteko Ltd.) -- C:\Windows\System32\drivers\nmsgopro.sys -- (nmsgopro)

DRV - [2006/08/04 16:39:10 | 00,008,192 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)

DRV - [2006/07/21 10:21:26 | 00,099,176 | ---- | M] (Sonic Solutions) -- C:\Windows\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)

DRV - [2006/06/19 13:26:58 | 00,012,672 | ---- | M] (Conexant) -- C:\Windows\System32\drivers\mdmxsdk.sys -- (mdmxsdk)

DRV - [2003/01/10 19:28:02 | 00,065,280 | ---- | M] (PACE Anti-Piracy, Inc.) -- C:\Windows\System32\drivers\Tpkd.sys -- (TPkd)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...amp;ibd=1070302

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.4.5

FF - prefs.js..extensions.enabledItems: firenes@facundo.zaldo:1.3

FF - prefs.js..extensions.enabledItems: genipublisher@geni.com:3.0.7.1

FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0

FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.4

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\ [2009/11/12 21:59:46 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/06 22:00:11 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/04 01:05:29 | 00,000,000 | ---D | M]

[2008/06/22 20:05:55 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Extensions

[2009/12/04 01:24:24 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions

[2009/11/08 21:26:08 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions\firebug@software.joehewitt.com

[2009/11/12 21:34:10 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions\firenes@facundo.zaldo

[2008/08/21 21:45:20 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions\genipublisher@geni.com

[2009/11/15 13:03:37 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions\personas@christopher.beard

[2008/03/10 23:08:54 | 00,001,058 | ---- | M] () -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\searchplugins\wikipedia-en.xml

[2009/12/04 01:24:24 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2009/03/31 21:47:26 | 00,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\Mozilla Firefox\components\coFFPlgn.dll

O1 HOSTS File: (352038 bytes) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O1 - Hosts: 127.0.0.1 activate.adobe.com

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 12068 more lines...

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\IPSBHO.dll (Symantec Corporation)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (no name) - {9b8c7915-ac4a-4a97-8b16-d07d3803a826} - File not found

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll File not found

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)

O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)

O4 - HKLM..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe (Intel® Corporation)

O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe (Hagel Technologies Ltd)

O4 - HKLM..\Run: [ECenter] c:\DELL\E-Center\EULALauncher.exe ( )

O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)

O4 - HKLM..\Run: [iSUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)

O4 - HKLM..\Run: [NMSSupport] C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe (Intel Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)

O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKLM..\Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe (Microsoft Corporation)

O4 - HKCU..\Run: [AdobeBridge] File not found

O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe File not found

O4 - HKCU..\Run: [Google Update] C:\Users\dchin\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)

O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O21 - SSODL: zovahigut - {36066187-7448-4e42-b2da-e7fc422f9c5c} - C:\Windows\System32\modubelo.dll File not found

O22 - SharedTaskScheduler: {36066187-7448-4e42-b2da-e7fc422f9c5c} - jugezatag - C:\Windows\System32\modubelo.dll File not found

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 13:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{121920e8-1d56-11dc-8dff-0019d1313e7b}\Shell - "" = AutoRun

O33 - MountPoints2\{121920e8-1d56-11dc-8dff-0019d1313e7b}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/04 22:19:24 | 00,536,064 | ---- | C] (OldTimer Tools) -- C:\Users\dchin\Desktop\OTL.exe

[2009/12/04 00:14:03 | 00,000,000 | ---D | C] -- C:\_OTL

[2009/12/03 20:03:10 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Local\Tific

[2009/12/03 20:03:05 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Roaming\Tific

[2009/12/03 20:03:02 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Local\Symantec

[2009/12/01 23:15:19 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Local\Adobe(95)

[2009/12/01 23:12:11 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Local\Apple Computer

[2009/12/01 22:33:20 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2009/11/27 18:45:35 | 00,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll

[2009/11/27 18:43:43 | 00,714,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\timedate.cpl

[2009/11/26 22:08:26 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe

[2009/11/26 22:08:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe

[2009/11/26 22:08:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe

[2009/11/26 13:25:50 | 00,130,312 | ---- | C] (Kaspersky Lab) -- C:\Users\dchin\Desktop\TDSSKiller.exe

[2009/11/26 00:47:21 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Roaming\vlc

[2009/11/24 22:13:04 | 01,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll

[2009/11/24 22:13:04 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll

[2009/11/24 22:13:03 | 03,786,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_37.dll

[2009/11/24 22:13:03 | 01,420,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_37.dll

[2009/11/24 22:13:03 | 00,462,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_37.dll

[2009/11/24 22:13:02 | 00,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll

[2009/11/24 22:04:50 | 02,036,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2009/11/24 22:04:45 | 00,355,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSDApi.dll

[2009/11/19 23:48:47 | 00,000,000 | ---D | C] -- C:\Users\dchin\Documents\Downloads

[2009/11/16 22:08:17 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Local\CrashDumps

[2009/11/16 21:19:19 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe

[2009/11/16 21:19:19 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2009/11/16 21:19:19 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2009/11/16 21:19:05 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT

[2009/11/16 21:18:47 | 00,000,000 | ---D | C] -- C:\Qoobox

[2009/11/14 11:27:49 | 00,044,080 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SymIMV.sys

[2009/11/13 02:52:51 | 00,339,504 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1101000.013\symtdiv.sys

[2009/11/13 02:52:51 | 00,171,056 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1101000.013\SymEFA.sys

[2009/11/13 02:52:50 | 00,328,752 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1101000.013\SymDS.sys

[2009/11/13 02:52:50 | 00,325,168 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1101000.013\srtsp.sys

[2009/11/13 02:52:50 | 00,114,736 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1101000.013\Ironx86.sys

[2009/11/13 02:52:50 | 00,043,696 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1101000.013\srtspx.sys

[2009/11/13 02:52:49 | 00,501,888 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1101000.013\cchpx86.sys

[2009/11/13 02:52:23 | 00,000,000 | ---D | C] -- C:\Windows\System32\drivers\NAV\1101000.013

[2009/11/12 21:58:19 | 00,124,976 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS

[2009/11/12 21:58:19 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec

[2009/11/12 21:57:32 | 00,000,000 | ---D | C] -- C:\Windows\System32\drivers\NAV

[2009/11/12 21:57:31 | 00,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus

[2009/11/12 21:47:41 | 00,000,000 | ---D | C] -- C:\ProgramData\PCSettings

[2009/11/12 21:47:23 | 00,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller

[2009/11/12 21:47:23 | 00,000,000 | ---D | C] -- C:\Program Files\NortonInstaller

[2009/11/12 21:46:35 | 00,000,000 | ---D | C] -- C:\ProgramData\Norton

[2009/11/11 21:33:31 | 00,000,000 | ---D | C] -- C:\Users\dchin\Desktop\TGame2009

[2009/11/10 00:29:34 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2009/11/09 23:54:07 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/11/09 23:54:05 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/11/09 23:48:43 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2009/11/09 23:11:46 | 00,119,808 | ---- | C] (Atribune.org) -- C:\Users\dchin\Desktop\VundoFix.exe

[2009/11/09 23:01:42 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Roaming\Malwarebytes

[2009/11/09 23:01:33 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2009/11/06 10:59:54 | 15,406,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xlive.dll

[2009/11/06 10:59:54 | 13,642,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xlivefnt.dll

========== Files - Modified Within 30 Days ==========

[2009/12/04 22:34:22 | 12,058,624 | -HS- | M] () -- C:\Users\dchin\ntuser.dat

[2009/12/04 22:20:41 | 00,843,187 | ---- | M] () -- C:\Users\dchin\Desktop\SecurityCheck.exe

[2009/12/04 22:20:08 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Users\dchin\Desktop\OTL.exe

[2009/12/04 22:18:34 | 00,707,452 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2009/12/04 22:18:34 | 00,606,678 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2009/12/04 22:18:34 | 00,105,678 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2009/12/04 22:04:38 | 00,002,399 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\UltraMon.lnk

[2009/12/04 22:04:29 | 00,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2009/12/04 22:04:13 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2009/12/04 22:04:13 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2009/12/04 22:04:10 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2009/12/04 22:04:06 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2009/12/04 01:48:25 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TMContainer00000000000000000002.regtrans-ms

[2009/12/04 01:48:25 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TMContainer00000000000000000001.regtrans-ms

[2009/12/04 01:48:25 | 00,065,536 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TM.blf

[2009/12/04 01:47:56 | 02,462,896 | -H-- | M] () -- C:\Users\dchin\AppData\Local\IconCache.db

[2009/12/04 00:15:14 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TMContainer00000000000000000001.regtrans-ms

[2009/12/04 00:15:14 | 00,065,536 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TM.blf

[2009/12/04 00:11:34 | 00,000,150 | ---- | M] () -- C:\Users\dchin\Desktop\I can't get rid of Rootkit.TDSS. Please help. - Malwarebytes Forum.URL

[2009/12/04 00:09:51 | 00,464,491 | ---- | M] () -- C:\Users\dchin\Desktop\RootRepeal.zip

[2009/12/03 20:38:14 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TMContainer00000000000000000002.regtrans-ms

[2009/12/03 19:45:40 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms

[2009/12/03 19:45:40 | 00,065,536 | -HS- | M] () -- C:\Users\dchin\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf

[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/12/02 22:54:42 | 00,000,020 | -H-- | M] () -- C:\ProgramData\PKP_DLbz.DAT

[2009/11/30 19:18:25 | 01,934,870 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1101000.013\Cat.DB

[2009/11/30 19:10:32 | 00,023,552 | ---- | M] () -- C:\Windows\System32\tdlcmd.dll

[2009/11/29 21:52:00 | 00,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2009/11/29 01:40:40 | 00,002,631 | ---- | M] () -- C:\Users\Public\Desktop\Jasc Paint Shop Pro 8.lnk

[2009/11/26 22:08:04 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe

[2009/11/26 22:08:04 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe

[2009/11/26 22:08:03 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deploytk.dll

[2009/11/26 22:08:03 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe

[2009/11/26 13:25:50 | 00,130,312 | ---- | M] (Kaspersky Lab) -- C:\Users\dchin\Desktop\TDSSKiller.exe

[2009/11/26 00:46:43 | 00,000,861 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk

[2009/11/25 23:21:01 | 00,000,219 | ---- | M] () -- C:\Windows\System32\lsprst7.tgz

[2009/11/25 23:21:01 | 00,000,205 | ---- | M] () -- C:\Windows\System32\lsprst7.dll

[2009/11/25 23:21:01 | 00,000,087 | ---- | M] () -- C:\Windows\System32\ssprs.tgz

[2009/11/25 23:21:01 | 00,000,073 | ---- | M] () -- C:\Windows\System32\ssprs.dll

[2009/11/25 23:21:01 | 00,000,021 | ---- | M] () -- C:\Windows\SurCode.INI

[2009/11/24 22:17:49 | 02,557,272 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2009/11/23 20:21:52 | 00,000,632 | ---- | M] () -- C:\Windows\tasks\Norton Internet Security - Run Full System Scan - dchin.job

[2009/11/20 00:40:57 | 00,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{BEE5FDBC-E548-47B0-8442-B40606EC71D3}.job

[2009/11/19 23:46:00 | 00,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-453041003-4031370672-94328986-1002UA.job

[2009/11/19 23:46:00 | 00,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-453041003-4031370672-94328986-1002Core.job

[2009/11/19 23:42:00 | 00,002,081 | ---- | M] () -- C:\Users\dchin\Desktop\Google Chrome.lnk

[2009/11/15 23:33:08 | 00,352,038 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2009/11/15 21:56:31 | 34,408,3456 | ---- | M] () -- C:\Users\dchin\Documents\backup.reg

[2009/11/15 21:55:36 | 00,125,776 | ---- | M] () -- C:\Users\dchin\AppData\Local\GDIPFONTCACHEV1.DAT

[2009/11/14 11:04:01 | 00,002,127 | ---- | M] () -- C:\Users\Public\Desktop\Norton AntiVirus.lnk

[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\Windows\PEV.exe

[2009/11/12 21:58:19 | 00,124,976 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS

[2009/11/12 21:58:19 | 00,007,443 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT

[2009/11/12 21:58:19 | 00,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF

[2009/11/11 10:43:15 | 00,002,633 | ---- | M] () -- C:\Users\dchin\Desktop\Microsoft Office Outlook 2007.lnk

[2009/11/10 00:29:35 | 00,001,876 | ---- | M] () -- C:\Users\dchin\Desktop\HijackThis.lnk

[2009/11/09 23:10:58 | 00,119,808 | ---- | M] (Atribune.org) -- C:\Users\dchin\Desktop\VundoFix.exe

[2009/11/06 17:15:21 | 00,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1101000.013\isolate.ini

[2009/11/06 10:59:54 | 15,406,728 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\xlive.dll

[2009/11/06 10:59:54 | 13,642,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\xlivefnt.dll

[2009/11/06 10:58:04 | 00,178,975 | ---- | M] () -- C:\Windows\System32\xlive.dll.cat

[2009/11/05 14:07:13 | 00,007,493 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1101000.013\SymDS.cat

[2009/11/05 14:06:13 | 00,328,752 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\NAV\1101000.013\SymDS.sys

[2009/11/05 14:06:13 | 00,002,793 | ---- | M] () -- C:\Windows\System32\drivers\NAV\1101000.013\SymDS.inf

[2009/11/04 23:40:16 | 00,162,816 | ---- | M] () -- C:\Users\dchin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2009/12/04 22:20:40 | 00,843,187 | ---- | C] () -- C:\Users\dchin\Desktop\SecurityCheck.exe

[2009/12/04 01:07:26 | 00,524,288 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TMContainer00000000000000000002.regtrans-ms

[2009/12/04 01:07:26 | 00,524,288 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TMContainer00000000000000000001.regtrans-ms

[2009/12/04 01:07:26 | 00,065,536 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TM.blf

[2009/12/04 00:11:34 | 00,000,150 | ---- | C] () -- C:\Users\dchin\Desktop\I can't get rid of Rootkit.TDSS. Please help. - Malwarebytes Forum.URL

[2009/12/04 00:09:51 | 00,464,491 | ---- | C] () -- C:\Users\dchin\Desktop\RootRepeal.zip

[2009/12/03 20:02:59 | 00,524,288 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TMContainer00000000000000000002.regtrans-ms

[2009/12/03 20:02:59 | 00,524,288 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TMContainer00000000000000000001.regtrans-ms

[2009/12/03 20:02:59 | 00,065,536 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TM.blf

[2009/11/26 00:46:42 | 00,000,861 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk

[2009/11/25 19:18:06 | 00,023,552 | ---- | C] () -- C:\Windows\System32\tdlcmd.dll

[2009/11/19 23:42:00 | 00,002,081 | ---- | C] () -- C:\Users\dchin\Desktop\Google Chrome.lnk

[2009/11/19 23:41:30 | 00,000,908 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-453041003-4031370672-94328986-1002UA.job

[2009/11/19 23:41:29 | 00,000,856 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-453041003-4031370672-94328986-1002Core.job

[2009/11/16 21:19:19 | 00,260,608 | ---- | C] () -- C:\Windows\PEV.exe

[2009/11/16 21:19:19 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2009/11/16 21:19:19 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2009/11/16 21:19:19 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe

[2009/11/16 21:19:19 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2009/11/15 21:56:09 | 34,408,3456 | ---- | C] () -- C:\Users\dchin\Documents\backup.reg

[2009/11/14 11:03:03 | 01,934,870 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\Cat.DB

[2009/11/13 02:52:51 | 00,007,774 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\symnetv.cat

[2009/11/13 02:52:51 | 00,007,431 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\SymEFA.cat

[2009/11/13 02:52:51 | 00,007,355 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\SymNet.cat

[2009/11/13 02:52:51 | 00,003,373 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\SymEFA.inf

[2009/11/13 02:52:51 | 00,001,474 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\SymNetV.inf

[2009/11/13 02:52:51 | 00,001,446 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\SymNet.inf

[2009/11/13 02:52:50 | 00,007,493 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\SymDS.cat

[2009/11/13 02:52:50 | 00,007,438 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\srtsp.cat

[2009/11/13 02:52:50 | 00,007,429 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\srtspx.cat

[2009/11/13 02:52:50 | 00,002,793 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\SymDS.inf

[2009/11/13 02:52:50 | 00,001,389 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\srtspx.inf

[2009/11/13 02:52:50 | 00,001,383 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\srtsp.inf

[2009/11/13 02:52:49 | 00,007,424 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\iron.cat

[2009/11/13 02:52:49 | 00,007,396 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\cchpx86.cat

[2009/11/13 02:52:49 | 00,001,756 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\ccHPx86.inf

[2009/11/13 02:52:49 | 00,000,743 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\Iron.inf

[2009/11/13 02:52:23 | 00,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NAV\1101000.013\isolate.ini

[2009/11/12 21:58:19 | 00,007,443 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.CAT

[2009/11/12 21:58:19 | 00,000,805 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.INF

[2009/11/12 21:57:50 | 00,002,127 | ---- | C] () -- C:\Users\Public\Desktop\Norton AntiVirus.lnk

[2009/11/10 00:29:35 | 00,001,876 | ---- | C] () -- C:\Users\dchin\Desktop\HijackThis.lnk

[2009/11/06 10:58:04 | 00,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat

[2009/10/26 22:09:15 | 00,000,600 | ---- | C] () -- C:\Users\dchin\AppData\Roaming\winscp.rnd

[2009/10/14 20:35:56 | 00,000,680 | ---- | C] () -- C:\Users\dchin\AppData\Local\d3d9caps.dat

[2009/09/11 18:29:12 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009/08/09 23:31:57 | 00,038,439 | ---- | C] () -- C:\Users\dchin\AppData\Roaming\Comma Separated Values (Windows).ADR

[2009/06/19 19:06:22 | 00,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll

[2008/12/09 23:30:56 | 00,000,021 | ---- | C] () -- C:\Windows\SurCode.INI

[2008/08/03 21:15:20 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest

[2008/03/25 20:59:23 | 00,000,013 | ---- | C] () -- C:\Windows\OemOut.ini

[2008/02/22 23:43:53 | 01,658,973 | ---- | C] () -- C:\Windows\System32\libmmd.dll

[2007/08/23 18:30:00 | 00,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2007/07/19 23:51:54 | 00,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.dll

[2007/07/19 23:51:54 | 00,001,025 | ---- | C] () -- C:\Windows\System32\clauth2.dll

[2007/07/19 23:51:54 | 00,001,025 | ---- | C] () -- C:\Windows\System32\clauth1.dll

[2007/07/19 23:51:54 | 00,000,205 | ---- | C] () -- C:\Windows\System32\lsprst7.dll

[2007/07/19 23:51:54 | 00,000,073 | ---- | C] () -- C:\Windows\System32\ssprs.dll

[2007/06/11 22:09:58 | 02,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll

[2007/03/27 00:16:25 | 00,000,871 | ---- | C] () -- C:\Windows\QIII.INI

[2007/03/27 00:07:27 | 00,003,972 | ---- | C] () -- C:\Windows\System32\drivers\PciBus.sys

[2007/03/14 23:33:22 | 00,000,268 | RH-- | C] () -- C:\ProgramData\Analog Pad

[2007/03/14 23:33:22 | 00,000,268 | RH-- | C] () -- C:\Users\dchin\AppData\Roaming\Alerts

[2007/03/14 21:30:35 | 00,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLbz.DAT

[2007/03/13 22:30:53 | 00,056,056 | ---- | C] () -- C:\Windows\System32\DLAAPI_W.DLL

[2007/03/12 23:34:48 | 00,002,105 | ---- | C] () -- C:\ProgramData\hpzinstall.log

[2007/03/12 21:41:35 | 00,000,000 | -H-- | C] () -- C:\ProgramData\PKP_DLea.DAT

[2007/03/08 10:25:03 | 00,162,816 | ---- | C] () -- C:\Users\dchin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/03/02 00:23:58 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI

[2007/03/02 00:15:00 | 00,000,244 | ---- | C] () -- C:\Windows\wininit.ini

[2006/11/07 11:25:58 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini

[2006/11/02 04:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 02:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll

[2006/11/01 23:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006/09/16 21:36:50 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll

[2006/09/16 21:36:50 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll

[2006/06/23 07:09:34 | 00,019,968 | R--- | C] () -- C:\Windows\System32\cpuinf32.dll

========== LOP Check ==========

[2007/11/27 21:55:05 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Flickr

[2007/03/10 23:11:01 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Forte

[2007/03/14 21:27:44 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Nikon

[2007/04/02 23:07:43 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Opera

[2008/04/02 23:30:54 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\RTPlayer

[2008/10/15 19:18:09 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\SystemRequirementsLab

[2009/12/03 20:03:05 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Tific

[2009/11/23 23:31:38 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\uTorrent

[2009/12/04 01:48:05 | 00,032,598 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2009/11/20 00:40:57 | 00,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{BEE5FDBC-E548-47B0-8442-B40606EC71D3}.job

========== Purity Check ==========

< End of report >

Link to post
Share on other sites

Extras.txt

OTL Extras logfile created on: 12/4/2009 10:28:57 PM - Run 1

OTL by OldTimer - Version 3.1.11.6 Folder = C:\Users\dchin\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18828)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.82 Gb Available Physical Memory | 91.06% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 455.72 Gb Total Space | 94.26 Gb Free Space | 20.68% Space Free | Partition Type: NTFS

Drive D: | 10.00 Gb Total Space | 5.85 Gb Free Space | 58.52% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DCHIN

Current User Name: dchin

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

chm.file [open] -- "%SystemRoot%\hh.exe" %1

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"UacDisableNotify" = 1

"InternetSettingsDisableNotify" = 1

"AutoUpdateDisableNotify" = 1

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0C74DAA8-A81A-4F79-869D-A6F4FB98E9D2}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |

"{0DCC73C7-D042-41B4-AA36-71FA8F6FF29F}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{0EB31A8A-E8D1-4D40-9BE1-1264A0A9AA30}" = lport=51000 | protocol=6 | dir=in | name=adobe version cue cs4 server |

"{14E42A3A-D592-41EE-A3F6-7B71F3F18D31}" = lport=50901 | protocol=6 | dir=in | name=adobe version cue cs3 server |

"{18A1DFC9-7087-417D-8DB7-8D563EAE3A0B}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{1BF86D88-C03C-4C5C-A1E6-227064833B52}" = lport=9442 | protocol=17 | dir=in | name=intel® viiv media server discovery |

"{1D36AFDD-CDCF-4BE8-B2EC-4A5ADD0B430C}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{1DFA8279-ED71-4DCD-BE3B-2FED2022B6C2}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{31DAF854-723D-4788-8CC1-BFDEB12936F6}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{35C38284-61C1-4E77-A2EF-86D221DF344F}" = lport=3703 | protocol=6 | dir=in | name=adobe version cue cs4 server |

"{3BF78A66-0613-4A0A-9BDF-07EA4EA583E4}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{3EF182DA-C7B8-4171-BD0E-2A11BE219095}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{3F449BD7-93C8-430E-981F-487606FF2A88}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |

"{402B6F10-6BA3-4664-BD89-A6A06BB4AF84}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{404D3057-4F1E-42DE-988E-F6EB82996AE3}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{41142B25-D268-4B1C-BE12-4FDAAF518321}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{470B88CA-FF72-440A-BA88-498507FB80ED}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{546217D4-F969-437B-951C-0A1F334D7FA0}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{5D411E1E-4F9A-4B60-BA57-F6D4CF1C6D4A}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{60D7FBC6-44C1-41FE-B085-75B496480C59}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{66FC5807-5B89-4E83-8B48-947EEBFFB827}" = lport=3704 | protocol=6 | dir=in | name=adobe version cue cs4 server |

"{67D653F1-4CEB-444C-AA4F-C0AA4440353C}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{68D99E50-82CA-42D4-90CF-B542FE81396A}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |

"{6CE8EEFC-8157-498F-8B7D-FC6C694D3970}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{7258A425-D638-4C4C-98F6-40084F189961}" = lport=1900 | protocol=17 | dir=in | name=intel® viiv media server upnp discovery |

"{77405125-3BF5-4AA4-898A-5843FA702CB3}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{8288B50C-51E8-43F0-81AE-AF264F8C00A9}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |

"{84EF2876-61C6-437F-8956-281285CCAA7E}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{8580A6DB-6910-4F13-8EE4-0F086D197C05}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{86E57FFC-18AB-4D94-807A-43EBCE26C3DC}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{91AD7CF8-7CAD-4F7E-BB6F-A874E576BE5E}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |

"{A2F0A070-A62A-4571-8B0E-545CF994DDAE}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{A53F9B35-F35F-42C3-A9EC-1451CB82156A}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{AB467AE7-4E47-403A-9309-8743B1E54009}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{BA0FAEDA-9678-4AFD-A5B7-D619A0F2513D}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{C2FDE8CF-2776-4B0A-86F8-BD9ECA4513A0}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{C8E9834D-9B37-4CC9-91DB-0328ECFC3401}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

"{C983CD05-3283-48CE-A208-37FF99ABB5A9}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{D200B432-5059-4036-A554-639781623910}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{D5BF3792-1548-416D-ACE8-8519902D7868}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{DF8B7A40-FB55-475D-9FAE-056DB8F74DCE}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |

"{E86D8ECD-F8D4-42E9-A87B-4329C000F352}" = lport=50900 | protocol=6 | dir=in | name=adobe version cue cs3 server |

"{F725BD57-59B4-4F56-BB88-FE7C946482C9}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{F95ABAE2-AC59-4669-9BE8-34CDD2E2F699}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |

"{FB165F36-A273-46FF-A027-9D6C6E9AC83F}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |

"{FDB567DE-DBA3-4F22-8ED7-48ED06B2E131}" = lport=51001 | protocol=6 | dir=in | name=adobe version cue cs4 server |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{09E3D498-5B4F-4D6D-B1DA-3CEE90CE5802}" = protocol=6 | dir=in | app=c:\program files\intel\inteldh\ccu\alertservice.exe |

"{0D0AC66C-DD0F-463B-89F5-7EF37BB2F887}" = protocol=17 | dir=in | app=c:\program files\intel\inteldh\intel media server\media server\bin\tshwmdtcp.exe |

"{19625128-27E4-4F89-B283-FB74B298364B}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{1B985F8A-5FCA-4890-8A65-5BA5476474D8}" = protocol=17 | dir=in | app=c:\program files\eidos\batman arkham asylum\binaries\shippingpc-bmgame.exe |

"{1E7D9367-D840-4B41-8A52-F25847CEF14F}" = protocol=6 | dir=in | app=c:\windows\system32\logonui.exe |

"{204CD451-C63D-4D3B-8E69-25585104C490}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{20B605F8-D872-457F-B74D-BDAEFD743C3D}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{21746504-2B7C-45EC-BA5F-4F2F12C8321E}" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

"{233CD5AA-A08D-4070-A5C4-69FBF732EF44}" = protocol=6 | dir=in | app=c:\program files\rapidsolution\tunebite\tunebitehelper.exe |

"{2C19DCDB-2896-4A0E-88B2-D0A6B99571EB}" = protocol=17 | dir=in | app=c:\program files\intel\inteldh\ccu\alertservice.exe |

"{305F4089-E35F-497C-BE49-7B950CD22622}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{311F8AFE-FD27-476B-818F-DC271E2BD232}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{32EAA0AA-BE95-4D8B-A37A-63D5E4F4AD4A}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{39653F03-63BA-450A-A9DA-36254A403366}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{3AD4B34B-D756-403D-A42B-127AB210343D}" = protocol=6 | dir=in | app=c:\windows\system32\wininit.exe |

"{3CFFBBC8-00FA-4662-900D-D6C3C0AFBA6D}" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

"{3F8A15E0-B48C-4488-83C9-076D820095E3}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{4168DE57-8CF6-4B9E-9077-CF69CD70C9D4}" = protocol=17 | dir=in | app=c:\windows\system32\wininit.exe |

"{452CDFAF-C4B4-4C8E-A6C2-659DD00BCFFE}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{4587651D-F094-4E1D-83AF-079481941C46}" = protocol=17 | dir=in | app=c:\windows\system32\wininit.exe |

"{495ED43B-A68F-42F5-895B-CDED854709A4}" = protocol=6 | dir=in | app=c:\program files\intel\inteldh\ccu\alertservice.exe |

"{4A5262DB-5203-41E8-8C26-89B4211BBE56}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{4AA70D7F-3138-4673-9AF3-2B1C790C6B77}" = protocol=6 | dir=in | app=c:\program files\intel\inteldh\intel media server\shells\remote ui service.exe |

"{53B0C266-BF35-48A3-B709-5FA69DF88C72}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{58EF34AE-B571-4600-B277-A92A53CAF9AF}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs3\server\bin\versioncuecs3.exe |

"{5B8B76BA-972B-4F1F-B0F8-FA1D368E0F94}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{5BF1C82A-39CF-4F0F-A331-F936B7C1231E}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs3\server\bin\versioncuecs3.exe |

"{5FEC8C57-C00E-4154-B3A7-9B6B7CBCF9F1}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{6194C908-3B1A-43C3-9656-A1D4FCFEC382}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{61E52570-CD44-4DA4-BCDE-B35A1C5E1ACD}" = protocol=6 | dir=in | app=c:\windows\explorer.exe |

"{6239C247-E397-4FA2-B9C7-C22862EDB581}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{64BD2333-2393-42EA-8E81-E1E26D3CA4AF}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{663A80F4-99FC-41A5-B7EA-388FC2C6C291}" = protocol=6 | dir=in | app=c:\program files\eidos\batman arkham asylum\binaries\shippingpc-bmgame.exe |

"{6BF63807-1738-498B-97A1-63C5D229F364}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{6FD5EBC4-304A-405E-9098-B66FD1D8C8D0}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{719E0B10-0FA5-45E1-891D-A2AC586DC9E1}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs4\server\bin\versioncuecs4.exe |

"{77589D22-5BDC-45B4-8D18-B49791B760EF}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{7EB9DC48-E359-4030-85E5-CFB5FE88E564}" = protocol=17 | dir=in | app=c:\program files\intel\inteldh\ccu\alertservice.exe |

"{81ED28AC-8231-4EDA-93A6-6902C3D0FFD8}" = protocol=6 | dir=in | app=c:\program files\intel\inteldh\intel media server\media server\bin\mediaserver.exe |

"{8935CC79-6408-4D34-8BFF-A3BDDB97DBCB}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{8E0A0AF8-7841-4EF0-8892-B757F8112362}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{8F11FBD7-FC11-4145-BFD0-B2A2E0CD3955}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{911771BA-DC6E-41AB-AC08-E3C89A29A769}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{92AA4F60-E112-418A-97EA-4D7E3FAA6375}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{9B2465B5-40E9-466B-9B5F-6D607AF2A3BB}" = protocol=17 | dir=in | app=c:\program files\intel\inteldh\intel media server\shells\remote ui service.exe |

"{A0C50F46-1D58-4A6D-A53F-88EE2822EBBE}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{AA05674A-6617-4B33-8F2C-D5DE0CB7B5FC}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{AF051E2D-C38E-4DA2-A516-86CF0667806C}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{B159023A-A186-4CE1-877E-8E11AD416FD7}" = protocol=6 | dir=in | app=c:\windows\explorer.exe |

"{B16E7F94-69D9-4789-8EB2-0982B3A70DE6}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{B2E64F92-5898-49CE-BC7B-DA99F46ED45A}" = protocol=17 | dir=in | app=c:\program files\intel\inteldh\intel media server\media server\bin\mediaserver.exe |

"{BC75BCF1-6A06-4A7B-87E5-448C139FC10E}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |

"{C349AE4A-8A48-4EBF-BBE7-D3740BFF12E3}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{C6EE26DD-6D2D-4DC2-955A-FC17E13683A1}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{C76E5DDA-1B1C-416C-A014-479101EA8B46}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{C9031103-6037-44CB-99B3-B7CC55DABC91}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{C91D7BC3-062D-4581-BB8E-7E53D593162F}" = protocol=6 | dir=in | app=c:\program files\intel\inteldh\intel media server\media server\bin\tshwmdtcp.exe |

"{C93A6236-F3B1-4913-9CBA-9537437D90A8}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{CAEDA501-E61C-477D-889C-F4A1E53075BD}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{CC7E3CFB-DEB2-4B43-968F-37BD3026DB24}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs4\server\bin\versioncuecs4.exe |

"{D26B45D3-C591-4CD8-8C63-67B5BEB60FFC}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"{D74E16C6-6B8F-4562-9533-65DFB3950C17}" = protocol=17 | dir=in | app=c:\program files\rapidsolution\tunebite\tunebitehelper.exe |

"{DC37E80E-9539-453C-9E45-384402758BBA}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |

"{E10D8498-CFC9-4631-ACB4-854DFD77200F}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{E6F966A3-BC5F-4DA6-A6FD-CAB06E8B04DA}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |

"{EB991C71-75A5-4BBD-987D-F31CE7C822F5}" = protocol=6 | dir=in | app=c:\windows\system32\wininit.exe |

"{EDC0780E-936F-4AB9-8C62-7AEBFEBA44AB}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |

"{F0063754-E1B4-4FBE-B677-84C75A512F85}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |

"{F65AB9D6-99D3-4167-98B6-B4FFEF815D44}" = protocol=17 | dir=in | app=c:\windows\system32\logonui.exe |

"{F80398A3-190A-41DC-B540-214C88579166}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

"TCP Query User{3747BF23-6AB4-41EF-BEF7-2EBDD1E427C4}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

"UDP Query User{2C588D68-8EEA-43E6-AAF8-66B6AE91C826}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4

"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable

"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4

"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler

"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer

"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data

"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4

"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4

"{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}" = Dell System Customization Wizard

"{14F70205-1940-4000-88C7-BE799A6B2CAD}" = Adobe Soundbooth CS4

"{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}" = Adobe SGM CS4

"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4

"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB

"{1B7C06E1-4888-47A6-992A-0990B9683486}" = Adobe Version Cue CS4 Server

"{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}" = Adobe InDesign CS4

"{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}" = Adobe InDesign CS4 Icon Handler

"{2168245A-B5AD-40D8-A641-48E3E070B5B6}" = Adobe Flash CS4 STI-en

"{2357B8BC-88C9-4A72-818C-050CC4EB0778}" = AOL Install

"{2665DDED-E1BE-43DE-B564-8309772E9CAB}" = Motorola Software Update

"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java 6 Update 16

"{26C610BF-761B-4209-BD6A-A0F1B73D6DDE}" = Intel® Viiv Software

"{297190A1-4B0D-4CD6-8B9F-3907F15C3FD8}" = Adobe CS4 American English Speech Analysis Models

"{2BAF2B96-7560-48B4-87D4-10178DDBE217}" = Adobe InDesign CS4 Application Feature Set Files (Roman)

"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE

"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager

"{30C8AA56-4088-426F-91D1-0EDFD3A25678}" = Adobe Dreamweaver CS4

"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper

"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4

"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module

"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4

"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4

"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin

"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant

"{3F927DF0-D056-466F-B4B8-61804D5B6351}" = 913D Camera

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting

"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit

"{44E240EC-2224-4078-A88B-2CEE0D3016EF}" = Adobe After Effects CS4 Presets

"{45EC816C-0771-4C14-AE6D-72D1B578F4C8}" = Adobe After Effects CS4

"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension

"{4A52555C-032A-4083-BDD9-6A85ABFB39A8}" = Adobe SING CS4

"{4BC14A37-586A-4AB3-A458-874AAE29337C}" = Adobe Setup

"{4E79A60F-15D2-4BEC-91AD-E41EC42E61B0}" = Batman: Arkham Asylum

"{556EEE74-6788-4292-8252-8B17E2C7952A}" = Photosynth 2.0.1403.5

"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4

"{561968FD-56A1-49FD-9ED0-F55482C7C5BC}" = Adobe Media Encoder CS4 Exporter

"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides

"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes

"{5EAD5443-7194-46CC-A055-428E6ABB1BAF}" = Adobe Encore CS4

"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support

"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy

"{61D6891E-E822-4448-9F9A-0AAAAEB6AF6C}" = Adobe Creative Suite 4 Master Collection

"{621FCD24-4498-4324-A81E-07D331376EDF}" = PixiePack Codec Pack

"{624D81E7-1699-40E0-B3CE-3AFF62CB6704}" = Avid Codecs LE

"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4

"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler

"{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}" = Adobe After Effects CS4 Third Party Content

"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{793D1D88-6141-43DE-BE58-59BCE31B4090}" = Adobe Flash CS4 Extension - Flash Lite STI en

"{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}" = Adobe InDesign CS4 Common Base Files

"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer

"{819E24AA-DB15-4BA8-8D76-92BDF710610B}" = Adobe Setup

"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8

"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4

"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support

"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4

"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio

"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4

"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4

"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin

"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Documentation & Support Launcher

"{8EB8E60B-315D-44EB-A896-10D88602EE46}" = Adobe Setup

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center

"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager

"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4

"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4

"{95264530-5A22-8E7E-FE9D-D63A927BCAEA}" = Adobe Media Player

"{9F8FDE1A-FA91-43F2-887B-CF080156D57E}" = Adobe Setup

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Fran

Link to post
Share on other sites

Checkup.txt

Results of screen317's Security Check version 0.99.1

Windows Vista Service Pack 2 (UAC is disabled!)

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Norton AntiVirus

WMIC entry does not exist for antivirus; attempting automatic update.

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

Java 6 Update 16

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

``````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

That was the last file.

I await your instructions.

Damon

Link to post
Share on other sites

Hello Damon,

You will want to print out or copy these instructions to Notepad for offline reference!

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :OTL
    O21 - SSODL: zovahigut - {36066187-7448-4e42-b2da-e7fc422f9c5c} - C:\Windows\System32\modubelo.dll File not found
    O22 - SharedTaskScheduler: {36066187-7448-4e42-b2da-e7fc422f9c5c} - jugezatag - C:\Windows\System32\modubelo.dll File not found

    :services
    zovahigut
    jugezatag
    MSIVXserv
    gxvxcserv
    Cxserv
    TDSSserv
    UACd

    :files
    C:\Windows\System32\zofowoda.dll
    c:\windows\system32\modubelo.dll
    c:\windows\system32\drivers\MSIVX*.sys
    c:\windows\system32\drivers\gxvxc*.sys
    c:\windows\system32\drivers\Cx*.sys
    c:\windows\system32\drivers\TDSS*.sys
    c:\windows\system32\drivers\UACd*.sys
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

(Skip the download here, as you should already have the RootRepeal zip. Simply make sure the zip contents are Extracted so you have access to RootRepeal.exe)

Download RootRepeal:

http://rootrepeal.googlepages.com/RootRepeal.zip

  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

=

Reply with copy of the OTL MovedFiles log

the Eset scan log

and the RootRepeal log

Link to post
Share on other sites

Everything finished okay except the Root Repeal scan.

It stopped midway and produced an error.

I even tried to run it a 2nd time and it produced the same error. See the Crash Report below....

OTL log

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\zovahigut deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36066187-7448-4e42-b2da-e7fc422f9c5c}\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{36066187-7448-4e42-b2da-e7fc422f9c5c} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36066187-7448-4e42-b2da-e7fc422f9c5c}\ not found.

========== SERVICES/DRIVERS ==========

No service named zovahigut was found to stop!

Unable to stop service zovahigut!

No service named jugezatag was found to stop!

Unable to stop service jugezatag!

No service named MSIVXserv was found to stop!

Unable to stop service MSIVXserv!

No service named gxvxcserv was found to stop!

Unable to stop service gxvxcserv!

No service named Cxserv was found to stop!

Unable to stop service Cxserv!

No service named TDSSserv was found to stop!

Unable to stop service TDSSserv!

No service named UACd was found to stop!

Unable to stop service UACd!

========== FILES ==========

File\Folder C:\Windows\System32\zofowoda.dll not found.

File\Folder c:\windows\system32\modubelo.dll not found.

File\Folder c:\windows\system32\drivers\MSIVX*.sys not found.

File\Folder c:\windows\system32\drivers\gxvxc*.sys not found.

File\Folder c:\windows\system32\drivers\Cx*.sys not found.

File\Folder c:\windows\system32\drivers\TDSS*.sys not found.

File\Folder c:\windows\system32\drivers\UACd*.sys not found.

File\Folder C:\recycler not found.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: dchin

->Temp folder emptied: 17316277 bytes

->Temporary Internet Files folder emptied: 13588108 bytes

->Java cache emptied: 16266305 bytes

->FireFox cache emptied: 39867130 bytes

->Google Chrome cache emptied: 0 bytes

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 402 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: IUSR_NMPR

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 272119 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 83.27 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.1.11.6 log created on 12052009_223347

Files\Folders moved on Reboot...

File move failed. C:\Windows\temp\nmsmc_DQLWinService.log scheduled to be moved on reboot.

Registry entries deleted on Reboot...

ESET log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=a94160334bf80c4d93d799ba2f735223

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-06 06:46:41

# local_time=2009-12-05 10:46:41 (-0800, Pacific Standard Time)

# country="United States"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 1322135 1322135 0 0

# compatibility_mode=3584 16777215 100 0 0 0 0 0

# compatibility_mode=5892 16776574 100 100 6435065 96689437 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=2215

# found=0

# cleaned=0

# scan_time=91

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=a94160334bf80c4d93d799ba2f735223

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-12-06 08:42:48

# local_time=2009-12-06 12:42:48 (-0800, Pacific Standard Time)

# country="United States"

# lang=1033

# osver=6.0.6002 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 1322268 1322268 0 0

# compatibility_mode=3584 16777215 100 0 0 0 0 0

# compatibility_mode=5892 16776574 100 100 6435198 96689570 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=359718

# found=0

# cleaned=0

# scan_time=6925

RootRepeal Crash Report

ROOTREPEAL CRASH REPORT

-------------------------

Windows Version: Windows Vista SP2

Exception Code: 0xc0000005

Exception Address: 0x004cbf6b

Attempt to read from address: 0x00000004

Link to post
Share on other sites

The Eset online scan found nothing, which is excellent.

The previous OTL fix worked well, another good indication.

Next, a new run of OTL after getting a newer copy.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

Allow the download to over-write the (older) copy you now have on desktop.

Now, close all open programs, including browsers.Locate the OTL.exe on your Destop

RIGHT-click OTL.exe otlDesktopIcon.png and select Run As Administrator to start it.

Look at the upper left of window. Press the pink color Quick Scan button.

Have patience while it runs.

It will produce a new log. Save it.

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

RIGHT-click gmer.exe and select Run As Administrator.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

Copy and paste back here a copy of the new OTL.txt

and the Gmer.txt

Link to post
Share on other sites

OTL log (new version)

OTL logfile created on: 12/6/2009 7:43:00 PM - Run 2

OTL by OldTimer - Version 3.1.11.8 Folder = C:\Users\dchin\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18828)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.94 Gb Available Physical Memory | 97.08% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 455.72 Gb Total Space | 106.62 Gb Free Space | 23.40% Space Free | Partition Type: NTFS

Drive D: | 10.00 Gb Total Space | 5.85 Gb Free Space | 58.52% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DCHIN

Current User Name: dchin

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/06 19:31:37 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Users\dchin\Desktop\OTL.exe

PRC - [2009/11/26 22:08:04 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe

PRC - [2009/11/02 20:47:26 | 00,135,664 | ---- | M] (Google Inc.) -- C:\Users\dchin\AppData\Local\Google\Update\GoogleUpdate.exe

PRC - [2009/10/19 22:34:55 | 00,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe

PRC - [2009/06/05 12:39:22 | 00,292,136 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe

PRC - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe

PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2009/04/10 22:28:08 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe

PRC - [2009/04/10 22:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe

PRC - [2008/10/25 10:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

PRC - [2008/10/07 12:33:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe

PRC - [2008/06/11 22:43:26 | 00,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

PRC - [2008/05/02 01:44:08 | 00,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe

PRC - [2008/05/02 01:40:56 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

PRC - [2008/01/18 23:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe

PRC - [2008/01/18 23:33:15 | 00,095,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mobsync.exe

PRC - [2008/01/15 01:42:02 | 00,694,040 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\UltraMon.exe

PRC - [2008/01/14 18:24:46 | 00,283,136 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\UltraMonTaskbar.exe

PRC - [2007/05/31 09:21:28 | 00,648,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdc.exe

PRC - [2006/12/07 08:28:42 | 00,629,248 | ---- | M] (Hagel Technologies Ltd) -- C:\Program Files\DU Meter\DUMeter.exe

PRC - [2006/11/22 14:56:00 | 00,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\sttray.exe

PRC - [2006/11/18 05:01:42 | 00,182,744 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe

PRC - [2006/11/18 05:01:32 | 00,272,856 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe

PRC - [2006/11/18 05:01:26 | 00,195,032 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe

PRC - [2006/11/05 09:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

PRC - [2006/10/29 07:03:30 | 00,208,896 | ---- | M] () -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

PRC - [2006/09/29 10:39:20 | 00,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

PRC - [2006/09/29 10:38:50 | 00,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

PRC - [2006/09/26 08:56:00 | 00,423,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe

PRC - [2006/08/04 16:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe

========== Modules (SafeList) ==========

MOD - [2009/12/06 19:31:37 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Users\dchin\Desktop\OTL.exe

MOD - [2009/04/10 22:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll

MOD - [2009/03/29 20:42:16 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4016_none_d0893820442e7fe

4\msvcr80.dll

MOD - [2008/05/02 01:42:50 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll

MOD - [2008/05/02 01:38:54 | 00,064,016 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\GameHook.dll

MOD - [2008/01/14 18:24:48 | 00,057,856 | ---- | M] (Realtime Soft Ltd) -- C:\Program Files\UltraMon\RTSUltraMonHook.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/10/19 22:34:55 | 00,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe -- (NAV)

SRV - [2009/09/24 17:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)

SRV - [2009/07/24 23:42:17 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)

SRV - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/04/09 21:19:24 | 00,316,664 | ---- | M] (Valve Corporation) -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2009/01/29 20:09:54 | 00,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)

SRV - [2008/11/04 10:48:10 | 00,288,112 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)

SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)

SRV - [2008/10/25 10:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)

SRV - [2008/10/07 12:33:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe -- (nvsvc)

SRV - [2008/05/02 01:42:06 | 00,121,360 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)

SRV - [2008/01/18 23:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2007/05/31 09:21:24 | 00,379,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)

SRV - [2007/05/31 09:21:18 | 00,183,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)

SRV - [2007/03/09 22:39:39 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)

SRV - [2006/11/18 05:01:26 | 00,195,032 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe -- (AlertService) Intel®

SRV - [2006/11/18 05:00:48 | 00,550,872 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe -- (Remote UI Service) Intel®

SRV - [2006/11/18 05:00:06 | 00,174,552 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe -- (MCLServiceATL) Intel®

SRV - [2006/11/18 04:59:38 | 00,081,880 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe -- (ISSM) Intel®

SRV - [2006/11/18 04:59:02 | 00,032,216 | ---- | M] () -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe -- (M1 Server) Intel® Viiv

SRV - [2006/11/05 09:15:12 | 00,880,640 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)

SRV - [2006/11/05 09:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)

SRV - [2006/11/02 04:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)

SRV - [2006/10/29 07:03:30 | 00,208,896 | ---- | M] () -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe -- (DQLWinService)

SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)

SRV - [2006/09/29 10:38:50 | 00,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®

SRV - [2006/09/14 12:54:34 | 00,073,728 | ---- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)

SRV - [2006/08/04 16:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)

SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...amp;ibd=1070302

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.4.5

FF - prefs.js..extensions.enabledItems: firenes@facundo.zaldo:1.3

FF - prefs.js..extensions.enabledItems: genipublisher@geni.com:3.0.7.1

FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0

FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.4

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\ [2009/11/12 21:59:46 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/06 22:00:11 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/04 01:05:29 | 00,000,000 | ---D | M]

[2008/06/22 20:05:55 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Extensions

[2009/12/06 16:19:41 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions

[2009/11/08 21:26:08 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions\firebug@software.joehewitt.com

[2009/11/12 21:34:10 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions\firenes@facundo.zaldo

[2008/08/21 21:45:20 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions\genipublisher@geni.com

[2009/11/15 13:03:37 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\extensions\personas@christopher.beard

[2008/03/10 23:08:54 | 00,001,058 | ---- | M] () -- C:\Users\dchin\AppData\Roaming\Mozilla\Firefox\Profiles\m7ofzhr2.default\searchplugins\wikipedia-en.xml

[2009/12/06 16:19:41 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2009/03/31 21:47:26 | 00,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\Mozilla Firefox\components\coFFPlgn.dll

O1 HOSTS File: (352038 bytes) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O1 - Hosts: 127.0.0.1 activate.adobe.com

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 12068 more lines...

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\IPSBHO.dll (Symantec Corporation)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (no name) - {9b8c7915-ac4a-4a97-8b16-d07d3803a826} - File not found

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll File not found

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)

O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)

O4 - HKLM..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe (Intel® Corporation)

O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe (Hagel Technologies Ltd)

O4 - HKLM..\Run: [ECenter] c:\DELL\E-Center\EULALauncher.exe ( )

O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)

O4 - HKLM..\Run: [iSUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)

O4 - HKLM..\Run: [NMSSupport] C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe (Intel Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)

O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKLM..\Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe (Microsoft Corporation)

O4 - HKCU..\Run: [AdobeBridge] File not found

O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe File not found

O4 - HKCU..\Run: [Google Update] C:\Users\dchin\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)

O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 13:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{121920e8-1d56-11dc-8dff-0019d1313e7b}\Shell - "" = AutoRun

O33 - MountPoints2\{121920e8-1d56-11dc-8dff-0019d1313e7b}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2009/12/06 13:39:58 | 00,000,000 | ---D | C] -- C:\RootRepeal

[2009/12/05 22:42:27 | 00,000,000 | ---D | C] -- C:\Program Files\ESET

[2009/12/04 22:19:24 | 00,537,088 | ---- | C] (OldTimer Tools) -- C:\Users\dchin\Desktop\OTL.exe

[2009/12/04 00:14:03 | 00,000,000 | ---D | C] -- C:\_OTL

[2009/12/03 20:03:10 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Local\Tific

[2009/12/03 20:03:05 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Roaming\Tific

[2009/12/03 20:03:02 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Local\Symantec

[2009/12/01 23:15:19 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Local\Adobe(95)

[2009/12/01 23:12:11 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Local\Apple Computer

[2009/12/01 22:33:20 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2009/11/26 13:25:50 | 00,130,312 | ---- | C] (Kaspersky Lab) -- C:\Users\dchin\Desktop\TDSSKiller.exe

[2009/11/26 00:47:21 | 00,000,000 | ---D | C] -- C:\Users\dchin\AppData\Roaming\vlc

========== Files - Modified Within 14 Days ==========

[2009/12/06 19:43:47 | 12,058,624 | -HS- | M] () -- C:\Users\dchin\ntuser.dat

[2009/12/06 19:31:37 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Users\dchin\Desktop\OTL.exe

[2009/12/06 18:52:00 | 00,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2009/12/06 18:36:45 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2009/12/06 18:36:45 | 00,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2009/12/06 16:25:27 | 00,000,680 | ---- | M] () -- C:\Users\dchin\AppData\Local\d3d9caps.dat

[2009/12/05 22:43:17 | 00,707,452 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2009/12/05 22:43:17 | 00,606,678 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2009/12/05 22:43:17 | 00,105,678 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2009/12/05 22:37:16 | 00,002,399 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\UltraMon.lnk

[2009/12/05 22:37:03 | 00,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2009/12/05 22:36:47 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2009/12/05 22:36:43 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2009/12/05 22:35:43 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TMContainer00000000000000000001.regtrans-ms

[2009/12/05 22:35:43 | 00,065,536 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TM.blf

[2009/12/05 01:51:39 | 02,466,718 | -H-- | M] () -- C:\Users\dchin\AppData\Local\IconCache.db

[2009/12/05 01:41:18 | 00,002,631 | ---- | M] () -- C:\Users\Public\Desktop\Jasc Paint Shop Pro 8.lnk

[2009/12/05 00:43:56 | 00,146,827 | ---- | M] () -- C:\Users\dchin\Desktop\hlw.jpg

[2009/12/04 22:54:12 | 00,002,075 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk

[2009/12/04 22:43:27 | 00,062,536 | ---- | M] () -- C:\Users\dchin\Desktop\Image1.jpg

[2009/12/04 01:48:25 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TMContainer00000000000000000002.regtrans-ms

[2009/12/04 00:15:14 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TMContainer00000000000000000001.regtrans-ms

[2009/12/04 00:15:14 | 00,065,536 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TM.blf

[2009/12/04 00:11:34 | 00,000,150 | ---- | M] () -- C:\Users\dchin\Desktop\I can't get rid of Rootkit.TDSS. Please help. - Malwarebytes Forum.URL

[2009/12/04 00:09:51 | 00,464,491 | ---- | M] () -- C:\Users\dchin\Desktop\RootRepeal.zip

[2009/12/03 20:38:14 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TMContainer00000000000000000002.regtrans-ms

[2009/12/03 19:45:40 | 00,524,288 | -HS- | M] () -- C:\Users\dchin\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms

[2009/12/03 19:45:40 | 00,065,536 | -HS- | M] () -- C:\Users\dchin\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf

[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2009/12/02 22:54:42 | 00,000,020 | -H-- | M] () -- C:\ProgramData\PKP_DLbz.DAT

[2009/11/30 19:10:32 | 00,023,552 | ---- | M] () -- C:\Windows\System32\tdlcmd.dll

[2009/11/26 13:25:50 | 00,130,312 | ---- | M] (Kaspersky Lab) -- C:\Users\dchin\Desktop\TDSSKiller.exe

[2009/11/26 00:46:43 | 00,000,861 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk

[2009/11/25 23:21:01 | 00,000,219 | ---- | M] () -- C:\Windows\System32\lsprst7.tgz

[2009/11/25 23:21:01 | 00,000,205 | ---- | M] () -- C:\Windows\System32\lsprst7.dll

[2009/11/25 23:21:01 | 00,000,087 | ---- | M] () -- C:\Windows\System32\ssprs.tgz

[2009/11/25 23:21:01 | 00,000,073 | ---- | M] () -- C:\Windows\System32\ssprs.dll

[2009/11/25 23:21:01 | 00,000,021 | ---- | M] () -- C:\Windows\SurCode.INI

[2009/11/24 22:17:49 | 02,557,272 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2009/11/23 20:21:52 | 00,000,632 | ---- | M] () -- C:\Windows\tasks\Norton Internet Security - Run Full System Scan - dchin.job

========== Files Created - No Company Name ==========

[2009/12/05 00:43:55 | 00,146,827 | ---- | C] () -- C:\Users\dchin\Desktop\hlw.jpg

[2009/12/04 22:54:12 | 00,002,075 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk

[2009/12/04 22:43:27 | 00,062,536 | ---- | C] () -- C:\Users\dchin\Desktop\Image1.jpg

[2009/12/04 01:07:26 | 00,524,288 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TMContainer00000000000000000002.regtrans-ms

[2009/12/04 01:07:26 | 00,524,288 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TMContainer00000000000000000001.regtrans-ms

[2009/12/04 01:07:26 | 00,065,536 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{5192bde4-e0b4-11de-b3ff-0019d1313e7b}.TM.blf

[2009/12/04 00:11:34 | 00,000,150 | ---- | C] () -- C:\Users\dchin\Desktop\I can't get rid of Rootkit.TDSS. Please help. - Malwarebytes Forum.URL

[2009/12/04 00:09:51 | 00,464,491 | ---- | C] () -- C:\Users\dchin\Desktop\RootRepeal.zip

[2009/12/03 20:02:59 | 00,524,288 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TMContainer00000000000000000002.regtrans-ms

[2009/12/03 20:02:59 | 00,524,288 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TMContainer00000000000000000001.regtrans-ms

[2009/12/03 20:02:59 | 00,065,536 | -HS- | C] () -- C:\Users\dchin\ntuser.dat{1a5ae76c-e089-11de-a211-0019d1313e7b}.TM.blf

[2009/11/26 00:46:42 | 00,000,861 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk

[2009/11/25 19:18:06 | 00,023,552 | ---- | C] () -- C:\Windows\System32\tdlcmd.dll

[2009/11/06 10:58:04 | 00,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat

[2009/10/26 22:09:15 | 00,000,600 | ---- | C] () -- C:\Users\dchin\AppData\Roaming\winscp.rnd

[2009/10/14 20:35:56 | 00,000,680 | ---- | C] () -- C:\Users\dchin\AppData\Local\d3d9caps.dat

[2009/09/11 18:29:12 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009/08/09 23:31:57 | 00,038,439 | ---- | C] () -- C:\Users\dchin\AppData\Roaming\Comma Separated Values (Windows).ADR

[2009/06/19 19:06:22 | 00,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll

[2009/06/19 19:06:22 | 00,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll

[2008/12/09 23:30:56 | 00,000,021 | ---- | C] () -- C:\Windows\SurCode.INI

[2008/08/03 21:15:20 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest

[2008/03/25 20:59:23 | 00,000,013 | ---- | C] () -- C:\Windows\OemOut.ini

[2008/02/22 23:43:53 | 01,658,973 | ---- | C] () -- C:\Windows\System32\libmmd.dll

[2007/08/23 18:30:00 | 00,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2007/07/19 23:51:54 | 00,001,025 | ---- | C] () -- C:\Windows\System32\sysprs7.dll

[2007/07/19 23:51:54 | 00,001,025 | ---- | C] () -- C:\Windows\System32\clauth2.dll

[2007/07/19 23:51:54 | 00,001,025 | ---- | C] () -- C:\Windows\System32\clauth1.dll

[2007/07/19 23:51:54 | 00,000,205 | ---- | C] () -- C:\Windows\System32\lsprst7.dll

[2007/07/19 23:51:54 | 00,000,073 | ---- | C] () -- C:\Windows\System32\ssprs.dll

[2007/06/11 22:09:58 | 02,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll

[2007/03/27 00:16:25 | 00,000,871 | ---- | C] () -- C:\Windows\QIII.INI

[2007/03/27 00:07:27 | 00,003,972 | ---- | C] () -- C:\Windows\System32\drivers\PciBus.sys

[2007/03/14 23:33:22 | 00,000,268 | RH-- | C] () -- C:\ProgramData\Analog Pad

[2007/03/14 23:33:22 | 00,000,268 | RH-- | C] () -- C:\Users\dchin\AppData\Roaming\Alerts

[2007/03/14 21:30:35 | 00,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLbz.DAT

[2007/03/13 22:30:53 | 00,056,056 | ---- | C] () -- C:\Windows\System32\DLAAPI_W.DLL

[2007/03/12 23:34:48 | 00,002,105 | ---- | C] () -- C:\ProgramData\hpzinstall.log

[2007/03/12 21:41:35 | 00,000,000 | -H-- | C] () -- C:\ProgramData\PKP_DLea.DAT

[2007/03/08 10:25:03 | 00,162,816 | ---- | C] () -- C:\Users\dchin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/03/02 00:23:58 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI

[2007/03/02 00:15:00 | 00,000,244 | ---- | C] () -- C:\Windows\wininit.ini

[2006/11/07 11:25:58 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini

[2006/11/02 04:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 02:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll

[2006/11/01 23:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006/09/16 21:36:50 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll

[2006/09/16 21:36:50 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll

[2006/06/23 07:09:34 | 00,019,968 | R--- | C] () -- C:\Windows\System32\cpuinf32.dll

========== LOP Check ==========

[2007/11/27 21:55:05 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Flickr

[2007/03/10 23:11:01 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Forte

[2007/03/14 21:27:44 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Nikon

[2007/04/02 23:07:43 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Opera

[2008/04/02 23:30:54 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\RTPlayer

[2008/10/15 19:18:09 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\SystemRequirementsLab

[2009/12/03 20:03:05 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\Tific

[2009/11/23 23:31:38 | 00,000,000 | ---D | M] -- C:\Users\dchin\AppData\Roaming\uTorrent

[2009/12/05 22:35:21 | 00,032,598 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2009/11/20 00:40:57 | 00,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{BEE5FDBC-E548-47B0-8442-B40606EC71D3}.job

========== Purity Check ==========

< End of report >

GMER log

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-12-07 08:09:35

Windows 6.0.6002 Service Pack 2

Running: gmer.exe; Driver: C:\Users\dchin\AppData\Local\Temp\pxldapod.sys

---- System - GMER 1.0.15 ----

SSDT 88253108 ZwAlertResumeThread

SSDT 88E2F108 ZwAlertThread

SSDT 88EC6C10 ZwAllocateVirtualMemory

SSDT 8810D7F8 ZwAlpcConnectPort

SSDT 88E6A1E0 ZwAssignProcessToJobObject

SSDT 88ECD8C0 ZwCreateMutant

SSDT 88EEFD78 ZwCreateSymbolicLinkObject

SSDT 88EC3390 ZwCreateThread

SSDT 88E6B048 ZwDebugActiveProcess

SSDT 88EC6DE8 ZwDuplicateObject

SSDT 88EC7E38 ZwFreeVirtualMemory

SSDT 88E15120 ZwImpersonateAnonymousToken

SSDT 88256108 ZwImpersonateThread

SSDT 8810D760 ZwLoadDriver

SSDT 88EC7CD8 ZwMapViewOfSection

SSDT 88E4B0B0 ZwOpenEvent

SSDT 88EC4168 ZwOpenProcess

SSDT 8822F110 ZwOpenProcessToken

SSDT 88E52048 ZwOpenSection

SSDT 88EC6F38 ZwOpenThread

SSDT 88EEE9F0 ZwProtectVirtualMemory

SSDT 88E2B120 ZwResumeThread

SSDT 88DD5120 ZwSetContextThread

SSDT 88EC7A80 ZwSetInformationProcess

SSDT 88E54190 ZwSetSystemInformation

SSDT 88E50048 ZwSuspendProcess

SSDT 88E27120 ZwSuspendThread

SSDT 8826A728 ZwTerminateProcess

SSDT 88DD8110 ZwTerminateThread

SSDT 88DD0118 ZwUnmapViewOfSection

SSDT 88EC6900 ZwWriteVirtualMemory

SSDT 88EEE1D0 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 824E0860 8 Bytes [08, 31, 25, 88, 08, F1, E2, ...]

.text ntkrnlpa.exe!KeSetEvent + 131 824E0874 4 Bytes [10, 6C, EC, 88] {ADC [ESP+EBP*8-0x78], CH}

.text ntkrnlpa.exe!KeSetEvent + 13D 824E0880 4 Bytes [F8, D7, 10, 88]

.text ntkrnlpa.exe!KeSetEvent + 191 824E08D4 4 Bytes [E0, A1, E6, 88] {LOOPNZ 0xffffffffffffffa3; OUT 0x88, AL}

.text ntkrnlpa.exe!KeSetEvent + 1F5 824E0938 4 Bytes [C0, D8, EC, 88]

.text ...

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EC0D320, 0x3DE447, 0xE8000020]

? C:\Windows\system32\drivers\rootrepeal.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3288] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [67EDF3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xDA 0xDC 0x3D 0xBD ...

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

I'd like for you to use your browser, and upload a copy of one DLL file for analysis at 2 online websites.

This will not take much time.

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to C:\Windows\System32\tdlcmd.dll, then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Use your browser to go Threatexpert

http://www.threatexpert.com/filescan.aspx

Click the Browse button and then navigate to C:\Windows\System32\tdlcmd.dll,

click the checkbox to checkmark "I agree to be bound by the Terms and Conditions"

then click the Submit button.

Save the results, and post back here in a reply.

Reply with results of the 2 online scan reports. Also, tell me, How is your system now?

Link to post
Share on other sites

Ok, this is weird...

I proceed to the first site (virustotal.com) and click the BROWSE button.

As I'm scrolling down in the file pane looking for tdlcmd.dll, my Norton pops up with an alert...

"Norton has blocked the trojan horse tdlcmd.dll" then it says "This virus has been removed. No further action is needed."

However, I can not find tdlcmd.dll in the System32 folder at all. I even did a search within the windows explorer, no luck.

So what does this mean?

Link to post
Share on other sites

To answer your other question, I did a quick test and Googled a few random things.

Usually, when I click on the link results, 75% of them would redirect me to some spam site.

However, none did. They all went to where it said it was going. So, I am a little relieved on that discovery. :)

Okay, I will await your assessment.

Damon

Link to post
Share on other sites

Check again to Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Next a bit of housekeeping to apply latest Java runtime:

javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=42611

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 3319 and the latest version is 1.42.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of latest MBAM scan log, and let's see what it says.

Don't know about the DLL issue. Or if the issue may or may not be with Norton AV.

Link to post
Share on other sites

Ok. I did the following...

Checked again to show all files and folders. No sign of the offending dll. Yay!

Next, I followed the instructions and installed the latest Java runtime. I also removed any old subfolders as it mentioned. Then reboot my PC.

Next, I updated MalwareBytes Scan with the latest datebase and ran a Quick Scan.

Malwarebytes' Anti-Malware 1.42

Database version: 3328

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18865

12/8/2009 11:58:10 PM

mbam-log-2009-12-08 (23-58-10).txt

Scan type: Quick Scan

Objects scanned: 111244

Time elapsed: 6 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I'll let you say it officially, but I think we finally solved it! ;)

Link to post
Share on other sites

Very good result. ;)

Start button > in Start menu -- Control Panel > Uninstall a Program (listed under Programs).

{In Classic view, double click Program and features}.

De-install ESET Online scan.

Look for it and click the line for it. Select Change/Remove to de-install it.

OK & Exit out of Control Panel

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

  • Please RIGHT-click OTL.exe otlDesktopIcon.png and select Run As Administrator to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

Confirm for me that you've successfully completed the Cleanup steps.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.