Jump to content

AV Security Suite


Recommended Posts

I was hit with AV Security Suite Friday, 6-18-10.

I first followed every step listed here: http://www.bleepingcomputer.com/virus-remo...-security-suite.

Second phase was everything here: http://forums.malwarebytes.org/index.php?showtopic=9573

MBAM 1st run log included - deleted 39 infections. Upon reboot, I noticed a warning box stating "RUNDLL: The rundll for xhreiu.exe could not be found." I mistakenly clicked "Ok", not thinking that in order for this to show up, the virus must still be on my computer somewhere.

Ran rkill.exe again and mbam. Second MBAM log included as it still showed 2 infected files and same warning window appeared on restart. All other requested files, including an HJT file, are included in the zip. All help is much appreciated.

Lastly, as I have been a long time user of the free MalwareBytes, I am now looking to purchase the full PRO version as I understand it could have prevented this *&%$-ing! file from even loading in the first place. Any link to a trusted site to purchase (except cleverbridge) is also greatly appreciated.

Let me know if you need any additional info, like a urine or blood sample. ; )

DDS log file:

DS (Ver_10-03-17.01) - NTFSx86

Run by Rob at 0:18:43.12 on Sat 06/19/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.577 [GMT -7:00]

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe

C:\windows\system32\svchost -k DcomLaunch

svchost.exe

C:\windows\System32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\windows\system32\Ati2evxx.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe

C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\windows\system32\rundll32.exe

C:\windows\system32\ctfmon.exe

C:\windows\system32\rundll32.exe

C:\Program Files\Wireless LAN\WLanUtil.exe

C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe

svchost.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

C:\windows\system32\wuauclt.exe

C:\windows\explorer.exe

C:\Documents and Settings\Rob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SBCONVERT Class: {3017fb3e-9a77-4396-88c5-0ec9548fb42f} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll

BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\progra~1\search~1\SEARCH~1.DLL

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\downlo~1\DAPIEL~1.DLL

BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~1\toolbar\grabber.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [uficofezipahal] rundll32.exe "c:\windows\mdshol.dll",Startup

mRun: [stacSysTray] c:\program files\sigmatel\c-major audio\controlpanel\StacSysTray.exe

mRun: [Adobe Version Cue CS2] c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [skb] rundll32 "xhtei.dll",,Run

mRun: [MChk] c:\windows\system32\khtei.exe

mRun: [Fbijijamehigatag] rundll32.exe "c:\windows\ijasudevibeb.dll",Startup

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ieee80~1.lnk - c:\program files\wireless lan\WLanUtil.exe

mPolicies-explorer: <NO NAME> =

IE: &Clean Traces - c:\program files\download accelerator plus\privacy package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\download accelerator plus\dapextie.htm

IE: Download &all with DAP - c:\program files\download accelerator plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - c:\program files\flash decompiler trillix\saveflash\iebt.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196226844085

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-28 270672]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]

R2 SigService;Sigmatel Service;c:\program files\sigmatel\c-major audio\controlpanel\sigservice.exe [2007-11-27 81920]

S0 efyosqni;efyosqni; [x]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2004-3-30 118106]

S3 pnicml;pnicml;\??\c:\docume~1\rob\locals~1\temp\pnicml.sys --> c:\docume~1\rob\locals~1\temp\pnicml.sys [?]

S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2010-06-19 07:15:43 0 ----a-w- c:\documents and settings\rob\defogger_reenable

2010-06-19 04:17:25 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-19 03:12:05 0 ----a-w- c:\windows\Rxesalifipulukel.bin

2010-06-19 03:12:04 120 ----a-w- c:\windows\Jqoqokezezocohof.dat

2010-06-19 03:11:06 0 d-----w- c:\docume~1\rob\applic~1\Street-Ads

2010-06-19 03:11:05 0 d-----w- c:\docume~1\rob\applic~1\Sky-Banners

2010-06-19 03:10:51 51021 ----a-w- c:\windows\system32\vcxyvcobktfktq.exe

2010-06-17 00:33:03 0 d-----w- c:\docume~1\rob\applic~1\Free AVI MPEG WMV MP4 FLV Video Joiner

2010-06-16 21:11:53 172032 ----a-w- c:\windows\system32\AniGIF.ocx

2010-06-16 21:11:50 0 d-----w- c:\program files\Download Accelerator Plus

2010-06-16 21:11:18 0 d-----w- c:\docume~1\rob\applic~1\Toolbar4

2010-06-16 21:11:12 0 d-----w- c:\program files\SearchPredict

2010-06-16 21:11:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SpeedBit

2010-06-16 21:11:10 0 d-----w- c:\program files\SpeedBit Video Downloader

2010-06-14 00:54:07 3982240 ----a-w- c:\windows\system32\Flash10d.ocx

2010-06-14 00:54:06 0 d-----w- c:\program files\StreamTransport

2010-06-13 21:45:11 0 d-----w- c:\docume~1\rob\applic~1\Moyea

2010-06-13 19:41:05 0 d-----w- C:\tmpDownload

2010-06-13 19:41:05 0 d-----w- C:\Download

2010-06-13 06:32:14 0 d-----w- c:\program files\YouTube Music Downloader

2010-06-13 06:25:26 516 ----a-w- c:\windows\system32\gfbaksm.dll

2010-06-13 06:25:26 516 ----a-w- c:\windows\system32\gfbaksm.dat

2010-06-13 06:24:58 0 d-----w- c:\program files\Hulu Downloader

2010-06-08 14:51:54 40629 ----a-w- c:\windows\system32\khtei.exe

2010-06-06 07:53:13 0 d-----w- c:\program files\DVDFab 7

2010-06-04 20:03:19 0 d-----w- c:\program files\common files\SourceTec

2010-06-04 20:03:18 695642 ----a-w- c:\windows\unins000.exe

2010-06-04 20:03:18 14699 ----a-w- c:\windows\unins000.dat

2010-06-04 18:25:28 0 d-----w- c:\program files\SWF Picture Extractor

2010-06-03 23:21:05 0 d-sh--w- c:\windows\Installer

2010-05-25 05:38:04 309248 ----a-w- c:\windows\system32\arttvriu.dll

2010-05-25 05:37:48 327680 ----a-w- c:\windows\system32\hrskcdec.dll

2010-05-24 16:31:20 40633 ----a-w- c:\windows\system32\uxvaloyi.exe

2010-05-24 16:05:09 1145856 ----a-w- C:\Winphlash1656.exe

==================== Find3M ====================

2010-05-19 20:30:42 2064 ----a-w- c:\windows\system32\tmp.reg

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-26 22:58:12 256512 ----a-w- c:\windows\PEV.exe

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-17 23:47:43 87608 ----a-w- c:\docume~1\rob\applic~1\inst.exe

2010-04-17 23:47:43 47360 ----a-w- c:\docume~1\rob\applic~1\pcouffin.sys

2010-04-16 23:25:40 90112 ----a-w- c:\windows\system32\videoul.tmp

2008-09-13 18:43:56 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat

============= FINISH: 0:19:50.48 ===============

hijackthis__6_19_10_.rar

Link to post
Share on other sites

Hello ,

And :P My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the runscanbutton.png button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Link to post
Share on other sites

Hi, Elise.

Thx for the quick reply. As I stated in my initial message, I was hit with the AV Security Suite Friday Virus, 6-18-10.

I first followed every step listed here: http://www.bleepingcomputer.com/virus-remo...-security-suite

Second phase was everything here: http://forums.malwarebytes.org/index.php?showtopic=9573

MBAM 1st run log included in original post zip file - deleted 39 infections. Upon reboot, I noticed a warning box stating "RUNDLL: The rundll for xhreiu.exe could not be found." I mistakenly clicked "Ok", not thinking that in order for this to show up, the virus must still be on my computer somewhere.

Ran rkill.exe again and mbam. Second MBAM log included in zip file as it still showed 2 infected files and same warning window appeared on restart. As a third MBAM scan showed no infections, I went on the internet to test it. I did download a copy of videos. When the pop-ups and redirects started again, I immediately shut my computer down again.

Today, I ran the programs you requested (OTL & GMER) and MBAM and have the log files that should help you track this virus down.

Current symptoms: (1) a RUNDLL warning window that appears on restart stating, "Error loading gyuuv.dll. The specified module could not be found."

(2) Pop-ups and re-directs continue with explorer.

I know this is still hiding as my MBAM log file from today showed 9 infections. I ran this after OTL and GMER and DID NOT remove them yet. Also, I have not loaded or updated any programs since being hit with this.

Any help is greatly appreciated.

OTL Log:

OTL logfile created on: 6/21/2010 11:57:47 AM - Run 1

OTL by OldTimer - Version 3.2.6.1 Folder = C:\Documents and Settings\Rob\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 584.00 Mb Available Physical Memory | 57.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 79.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 10.65 Gb Free Space | 14.29% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

H: Drive not present or media not loaded

Drive I: | 7.47 Gb Total Space | 3.83 Gb Free Space | 51.20% Space Free | Partition Type: FAT32

Computer Name: ROB-CCA219EB460

Current User Name: Rob

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/21 11:40:06 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe

PRC - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2005/04/04 19:58:30 | 003,502,080 | ---- | M] () -- C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

PRC - [2005/04/04 19:58:30 | 000,856,064 | ---- | M] (Adobe Sytems Incorporated) -- C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

PRC - [2005/04/04 19:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

PRC - [2004/06/17 17:14:10 | 000,393,216 | ---- | M] () -- C:\Program Files\Wireless LAN\WLanUtil.exe

PRC - [2004/04/29 15:16:38 | 000,102,400 | ---- | M] (Sigmatel) -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\stacsystray.exe

PRC - [2004/04/29 15:15:10 | 000,081,920 | ---- | M] () -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe

PRC - [2004/04/29 15:11:52 | 000,815,174 | ---- | M] () -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\stacsrv.exe

========== Modules (SafeList) ==========

MOD - [2010/06/21 11:40:06 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe

MOD - [2008/04/13 17:12:08 | 000,180,736 | ---- | M] () -- C:\WINDOWS\ijasudevibeb.dll

MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®

SRV - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)

SRV - [2005/04/04 19:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)

SRV - [2004/07/14 06:09:36 | 000,918,792 | ---- | M] (Zone Labs Inc.) [On_Demand | Stopped] -- C:\windows\System32\ZoneLabs\vsmon.exe -- (vsmon)

SRV - [2004/04/29 15:15:10 | 000,081,920 | ---- | M] () [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe -- (SigService)

========== Driver Services (SafeList) ==========

DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)

DRV - [2007/08/06 17:15:07 | 000,033,052 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)

DRV - [2005/09/12 04:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\windows\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)

DRV - [2005/09/08 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2005/09/08 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2005/09/08 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2005/09/08 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2005/09/08 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2005/09/08 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2005/09/08 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)

DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)

DRV - [2005/08/12 06:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2005/08/09 22:35:42 | 001,273,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2004/12/22 02:32:12 | 000,369,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2004/07/14 06:09:22 | 000,270,672 | ---- | M] (Zone Labs Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)

DRV - [2004/04/15 09:18:34 | 000,262,128 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)

DRV - [2004/03/30 11:29:36 | 000,118,106 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr97310v.sys -- (MR97310_VGA_DUAL_CAMERA)

DRV - [2003/12/17 10:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)

DRV - [2003/12/17 10:50:00 | 000,051,729 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042pr2.Sys -- (L8042pr2)

DRV - [2003/12/17 10:50:00 | 000,037,887 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidUsb.sys -- (LHidUsb)

DRV - [2003/12/17 10:50:00 | 000,025,505 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFlt2.Sys -- (LHidFlt2)

DRV - [2003/11/26 02:31:26 | 001,205,418 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)

DRV - [2000/12/12 16:45:52 | 000,008,679 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SCI0PL.SYS -- (PLSCSI)

DRV - [2000/12/12 16:41:54 | 000,021,510 | ---- | M] ( ) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\SCI1PL.SYS -- (USBAtapi2000)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1644491937-562591055-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKU\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\extensions\\{782B83DA-814E-46C7-8739-473536BB1E42}: C:\Documents and Settings\Rob\Local Settings\Application Data\{782B83DA-814E-46C7-8739-473536BB1E42} [2010/06/18 20:12:03 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2008/08/11 08:35:17 | 000,000,686 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (SBCONVERT Class) - {3017FB3E-9A77-4396-88C5-0EC9548FB42F} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll ()

O2 - BHO: (SearchPredictObj Class) - {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - C:\Program Files\SearchPredict\SearchPredict.dll (Speedbit Ltd.)

O2 - BHO: (adShotHlpr Object) - {3A69A58C-EA69-4552-BDB3-8C835F4807E2} - C:\WINDOWS\system32\gyuuv.dll ()

O2 - BHO: (moigh Object) - {452B0514-BEB1-4E0E-9E03-9DC2C227BD42} - C:\WINDOWS\system32\cyuuv.dll ()

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)

O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)

O2 - BHO: (DAPIELoader Class) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Download Accelerator Plus\dapieloader.dll (SpeedBit Ltd.)

O2 - BHO: (GrabberObj Class) - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\SpeedBit Video Downloader\Toolbar\Grabber.dll (Speedbit Ltd.)

O3 - HKLM\..\Toolbar: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll ()

O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\..\Toolbar\WebBrowser: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll ()

O3 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O3 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe (Adobe Sytems Incorporated)

O4 - HKLM..\Run: [Fbijijamehigatag] C:\windows\ijasudevibeb.DLL ()

O4 - HKLM..\Run: [MChk] C:\WINDOWS\system32\tyuuv.exe ()

O4 - HKLM..\Run: [skb] C:\windows\System32\gyuuv.dll ()

O4 - HKLM..\Run: [stacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\stacsystray.exe (Sigmatel)

O4 - HKU\S-1-5-21-1644491937-562591055-725345543-1003..\Run: [uficofezipahal] C:\windows\mdshol.DLL (MaresWEB)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WLanUtil.exe ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O8 - Extra context menu item: &Clean Traces - C:\Program Files\Download Accelerator Plus\Privacy Package\dapcleanerie.htm ()

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\Download Accelerator Plus\dapextie.htm ()

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\Download Accelerator Plus\dapextie2.htm ()

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()

O9 - Extra Button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Flash Decompiler Trillix\saveflash\iebt.dll File not found

O9 - Extra 'Tools' menuitem : Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Flash Decompiler Trillix\saveflash\iebt.dll File not found

O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra Button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()

O9 - Extra 'Tools' menuitem : Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1196226844085 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)

O16 - DPF: Web-Based Email Tools https://email.secureserver.net/Download.CAB (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\windows\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/11/27 20:05:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2008/05/06 05:26:23 | 000,000,309 | R--- | M] () - G:\autorun.inf -- [ CDFS ]

O33 - MountPoints2\{2a265d8c-ff84-11dd-9d58-00904b728919}\Shell - "" = AutoRun

O33 - MountPoints2\{2a265d8c-ff84-11dd-9d58-00904b728919}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{2a265d8c-ff84-11dd-9d58-00904b728919}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- [2007/10/23 00:45:39 | 001,336,632 | R--- | M] ()

O33 - MountPoints2\{d02d51ae-9fed-11dc-9be5-00904b728919}\Shell\AutoRun\command - "" = G:\setupSNK.exe -- File not found

O33 - MountPoints2\{ff9783a4-638d-11df-9e4c-00904b728919}\Shell\AutoRun\command - "" = D:\USERINIT.EXE -- File not found

O33 - MountPoints2\G\Shell - "" = AutoRun

O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- [2007/10/23 00:45:39 | 001,336,632 | R--- | M] ()

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/21 11:57:18 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe

[2010/06/18 20:12:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\{782B83DA-814E-46C7-8739-473536BB1E42}

[2010/06/18 20:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Street-Ads

[2010/06/18 20:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Sky-Banners

[2010/06/18 20:10:43 | 000,000,000 | ---D | C] -- C:\Program Files\$NtUninstallWTF1012$

[2010/06/18 20:10:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\ibyavpydp

[2010/06/16 17:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Free AVI MPEG WMV MP4 FLV Video Joiner

[2010/06/16 14:12:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\My Documents\My DAP Downloads

[2010/06/16 14:11:53 | 000,172,032 | ---- | C] (Jin Hui E-mail: jinhui@jcomsoft.com Web: http://www.jcomsoft.com) -- C:\windows\System32\AniGIF.ocx

[2010/06/16 14:11:50 | 000,000,000 | ---D | C] -- C:\Program Files\Download Accelerator Plus

[2010/06/16 14:11:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Toolbar4

[2010/06/16 14:11:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SpeedBit

[2010/06/16 14:11:12 | 000,000,000 | ---D | C] -- C:\Program Files\SearchPredict

[2010/06/16 14:11:10 | 000,000,000 | ---D | C] -- C:\Program Files\SpeedBit Video Downloader

[2010/06/13 18:00:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\My Documents\StreamTransport

[2010/06/13 17:54:07 | 003,982,240 | ---- | C] (Adobe Systems, Inc.) -- C:\windows\System32\Flash10d.ocx

[2010/06/13 17:54:06 | 000,000,000 | ---D | C] -- C:\Program Files\StreamTransport

[2010/06/13 14:45:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Moyea

[2010/06/13 12:41:05 | 000,000,000 | ---D | C] -- C:\tmpDownload

[2010/06/13 12:41:05 | 000,000,000 | ---D | C] -- C:\Download

[2010/06/13 12:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\PCHealth

[2010/06/12 23:32:14 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Music Downloader

[2010/06/12 23:24:58 | 000,000,000 | ---D | C] -- C:\Program Files\Hulu Downloader

[2010/06/06 00:53:13 | 000,000,000 | ---D | C] -- C:\Program Files\DVDFab 7

[2010/06/04 13:03:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SourceTec

[2010/06/04 11:25:28 | 000,000,000 | ---D | C] -- C:\Program Files\SWF Picture Extractor

[2010/06/03 16:35:30 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/06/03 16:21:05 | 000,000,000 | -HSD | C] -- C:\windows\Installer

[2010/02/16 12:01:35 | 000,021,510 | ---- | C] ( ) -- C:\windows\System32\drivers\SCI1PL.SYS

[2010/02/16 12:01:35 | 000,008,679 | ---- | C] ( ) -- C:\windows\System32\drivers\SCI0PL.SYS

[2004/11/24 12:25:52 | 000,335,872 | ---- | C] ( ) -- C:\windows\System32\drvc.dll

[5 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/21 11:56:32 | 000,000,120 | ---- | M] () -- C:\windows\Jqoqokezezocohof.dat

[2010/06/21 11:56:21 | 000,013,646 | ---- | M] () -- C:\windows\System32\wpa.dbl

[2010/06/21 11:54:10 | 000,000,236 | ---- | M] () -- C:\windows\tasks\OGALogon.job

[2010/06/21 11:54:00 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT

[2010/06/21 11:53:51 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat

[2010/06/21 11:40:06 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\OTL.exe

[2010/06/21 00:29:42 | 000,000,000 | ---- | M] () -- C:\windows\Rxesalifipulukel.bin

[2010/06/21 00:22:28 | 000,146,944 | ---- | M] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/06/19 21:14:36 | 000,446,154 | ---- | M] () -- C:\windows\System32\perfh009.dat

[2010/06/19 21:14:36 | 000,073,088 | ---- | M] () -- C:\windows\System32\perfc009.dat

[2010/06/19 21:14:35 | 000,528,920 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI

[2010/06/19 21:08:17 | 016,777,216 | ---- | M] () -- C:\Documents and Settings\Rob\ntuser.dat

[2010/06/19 21:08:17 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Rob\ntuser.ini

[2010/06/19 21:08:11 | 004,864,052 | -H-- | M] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\IconCache.db

[2010/06/19 00:15:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Rob\defogger_reenable

[2010/06/18 23:38:48 | 003,715,012 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\ComboFix.exe

[2010/06/18 23:29:42 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\bl0v13q9.exe

[2010/06/18 23:28:44 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\dds.scr

[2010/06/18 23:26:46 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\Defogger.exe

[2010/06/18 21:18:17 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\rkill.com

[2010/06/18 21:17:25 | 000,000,664 | ---- | M] () -- C:\windows\System32\d3d9caps.dat

[2010/06/18 20:11:13 | 000,051,021 | ---- | M] () -- C:\windows\System32\vcxyvcobktfktq.exe

[2010/06/16 23:04:00 | 000,327,680 | ---- | M] () -- C:\windows\System32\gyuuv.dll

[2010/06/16 22:56:14 | 000,310,784 | ---- | M] () -- C:\windows\System32\cyuuv.dll

[2010/06/16 14:11:53 | 000,172,032 | ---- | M] (Jin Hui E-mail: jinhui@jcomsoft.com Web: http://www.jcomsoft.com) -- C:\windows\System32\AniGIF.ocx

[2010/06/13 23:39:53 | 000,783,777 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\vso_ts_preview.xml

[2010/06/13 17:54:11 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\ StreamTransport.lnk

[2010/06/12 23:25:26 | 000,000,516 | ---- | M] () -- C:\windows\System32\gfbaksm.dll

[2010/06/12 23:25:26 | 000,000,516 | ---- | M] () -- C:\windows\System32\gfbaksm.dat

[2010/06/12 16:48:46 | 000,525,568 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT

[2010/06/12 13:56:39 | 000,001,374 | ---- | M] () -- C:\windows\imsins.BAK

[2010/06/09 17:33:40 | 000,028,000 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\index.swf

[2010/06/08 07:51:54 | 000,040,629 | ---- | M] () -- C:\windows\System32\tyuuv.exe

[2010/06/08 07:51:54 | 000,040,629 | ---- | M] () -- C:\windows\System32\khtei.exe

[2010/06/06 00:53:18 | 000,000,646 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\DVDFab 7.lnk

[2010/06/06 00:53:18 | 000,000,628 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\DVDFab 7.lnk

[2010/06/04 13:03:20 | 000,014,699 | ---- | M] () -- C:\windows\unins000.dat

[2010/06/04 13:02:15 | 000,695,642 | ---- | M] () -- C:\windows\unins000.exe

[2010/06/04 11:25:29 | 000,001,784 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\SWF Picture Extractor.lnk

[2010/05/24 22:38:04 | 000,309,248 | ---- | M] () -- C:\windows\System32\arttvriu.dll

[2010/05/24 22:37:48 | 000,327,680 | ---- | M] () -- C:\windows\System32\hrskcdec.dll

[2010/05/24 09:31:20 | 000,040,633 | ---- | M] () -- C:\windows\System32\uxvaloyi.exe

[2010/05/24 09:04:57 | 001,145,856 | ---- | M] () -- C:\Winphlash1656.exe

[5 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/19 00:15:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rob\defogger_reenable

[2010/06/19 00:14:37 | 003,715,012 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\ComboFix.exe

[2010/06/19 00:14:37 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\dds.scr

[2010/06/19 00:14:37 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\bl0v13q9.exe

[2010/06/19 00:14:21 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\Defogger.exe

[2010/06/18 21:18:14 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\rkill.com

[2010/06/18 21:17:25 | 000,000,664 | ---- | C] () -- C:\windows\System32\d3d9caps.dat

[2010/06/18 20:12:05 | 000,000,000 | ---- | C] () -- C:\windows\Rxesalifipulukel.bin

[2010/06/18 20:12:04 | 000,000,120 | ---- | C] () -- C:\windows\Jqoqokezezocohof.dat

[2010/06/18 20:10:51 | 000,051,021 | ---- | C] () -- C:\windows\System32\vcxyvcobktfktq.exe

[2010/06/16 23:04:00 | 000,327,680 | ---- | C] () -- C:\windows\System32\gyuuv.dll

[2010/06/16 22:56:14 | 000,310,784 | ---- | C] () -- C:\windows\System32\cyuuv.dll

[2010/06/13 17:54:11 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\ StreamTransport.lnk

[2010/06/12 23:25:26 | 000,000,516 | ---- | C] () -- C:\windows\System32\gfbaksm.dll

[2010/06/12 23:25:26 | 000,000,516 | ---- | C] () -- C:\windows\System32\gfbaksm.dat

[2010/06/09 17:35:15 | 000,028,000 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\index.swf

[2010/06/08 07:51:54 | 000,040,629 | ---- | C] () -- C:\windows\System32\tyuuv.exe

[2010/06/08 07:51:54 | 000,040,629 | ---- | C] () -- C:\windows\System32\khtei.exe

[2010/06/06 00:53:18 | 000,000,646 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\DVDFab 7.lnk

[2010/06/06 00:53:18 | 000,000,628 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\DVDFab 7.lnk

[2010/06/04 13:03:18 | 000,695,642 | ---- | C] () -- C:\windows\unins000.exe

[2010/06/04 13:03:18 | 000,014,699 | ---- | C] () -- C:\windows\unins000.dat

[2010/06/04 11:25:28 | 000,001,784 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\SWF Picture Extractor.lnk

[2010/06/03 16:20:45 | 000,001,374 | ---- | C] () -- C:\windows\imsins.BAK

[2010/05/24 22:38:04 | 000,309,248 | ---- | C] () -- C:\windows\System32\arttvriu.dll

[2010/05/24 22:37:48 | 000,327,680 | ---- | C] () -- C:\windows\System32\hrskcdec.dll

[2010/05/24 09:31:20 | 000,040,633 | ---- | C] () -- C:\windows\System32\uxvaloyi.exe

[2010/05/24 09:05:09 | 001,145,856 | ---- | C] () -- C:\Winphlash1656.exe

[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\windows\System32\OGACheckControl.dll

[2008/12/19 08:15:58 | 004,338,246 | ---- | C] () -- C:\windows\System32\libavcodec.dll

[2008/12/17 10:41:18 | 000,884,237 | ---- | C] () -- C:\windows\System32\ff_x264.dll

[2008/12/17 10:22:58 | 000,093,184 | ---- | C] () -- C:\windows\System32\ff_wmv9.dll

[2008/12/17 10:22:48 | 000,057,344 | ---- | C] () -- C:\windows\System32\ff_vfw.dll

[2008/12/17 10:17:34 | 000,239,247 | ---- | C] () -- C:\windows\System32\ff_theora.dll

[2008/12/17 09:59:54 | 000,560,802 | ---- | C] () -- C:\windows\System32\libmplayer.dll

[2008/12/11 04:27:02 | 000,000,547 | ---- | C] () -- C:\windows\System32\ff_vfw.dll.manifest

[2008/11/06 09:37:32 | 003,596,288 | ---- | C] () -- C:\windows\System32\qt-dx331.dll

[2008/11/06 09:34:00 | 000,000,416 | ---- | C] () -- C:\windows\System32\dtu100.dll.manifest

[2008/11/06 09:34:00 | 000,000,416 | ---- | C] () -- C:\windows\System32\dpl100.dll.manifest

[2008/11/06 09:33:02 | 000,012,288 | ---- | C] () -- C:\windows\System32\DivXWMPExtType.dll

[2008/10/01 14:21:59 | 000,000,373 | ---- | C] () -- C:\windows\System32\CNCMFP20.INI

[2008/10/01 14:08:22 | 000,000,532 | ---- | C] () -- C:\windows\MAXLINK.INI

[2008/06/12 11:50:05 | 000,667,280 | ---- | C] () -- C:\windows\System32\tx12.dll

[2008/06/12 11:50:05 | 000,000,530 | ---- | C] () -- C:\windows\System32\tx12_ic.ini

[2008/05/31 20:57:51 | 000,069,632 | R--- | C] () -- C:\windows\System32\xmltok.dll

[2008/05/31 20:57:51 | 000,036,864 | R--- | C] () -- C:\windows\System32\xmlparse.dll

[2008/04/02 14:49:00 | 000,000,021 | ---- | C] () -- C:\windows\THUMBV~1.INI

[2008/04/02 13:40:47 | 000,000,107 | ---- | C] () -- C:\windows\marscam.ini

[2008/04/02 13:29:40 | 000,000,029 | ---- | C] () -- C:\windows\DEBUGSM.INI

[2007/11/28 19:43:06 | 000,000,170 | ---- | C] () -- C:\windows\wininit.ini

[2007/11/28 19:40:53 | 000,000,376 | ---- | C] () -- C:\windows\ODBC.INI

[2007/11/27 22:07:15 | 000,028,672 | ---- | C] () -- C:\windows\System32\InsDrvZD.dll

[2007/11/27 20:48:36 | 000,192,512 | ---- | C] () -- C:\windows\System32\stac97co.dll

[2005/11/18 11:47:26 | 000,000,000 | ---- | C] () -- C:\windows\System32\px.ini

[2004/10/03 10:50:54 | 000,129,024 | ---- | C] () -- C:\windows\System32\ff_mpeg2enc.dll

[2004/08/04 03:00:00 | 000,180,736 | ---- | C] () -- C:\windows\ijasudevibeb.dll

[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\windows\System32\OUTLPERF.INI

[2001/10/12 10:58:20 | 000,028,672 | ---- | C] () -- C:\windows\System32\mr310exd.dll

[2001/10/12 10:57:18 | 000,036,864 | ---- | C] () -- C:\windows\System32\mr310exv.dll

[2000/12/07 10:13:58 | 000,015,164 | ---- | C] () -- C:\windows\Mr310twv.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\windows\AGRSMMSG.exe:SummaryInformation

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F4CA4D70

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:010ADD2C

< End of report >

OTL Extras:

OTL Extras logfile created on: 6/21/2010 11:57:47 AM - Run 1

OTL by OldTimer - Version 3.2.6.1 Folder = C:\Documents and Settings\Rob\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 584.00 Mb Available Physical Memory | 57.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 79.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 10.65 Gb Free Space | 14.29% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

H: Drive not present or media not loaded

Drive I: | 7.47 Gb Total Space | 3.83 Gb Free Space | 51.20% Space Free | Partition Type: FAT32

Computer Name: ROB-CCA219EB460

Current User Name: Rob

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- C:\Program Files\VLC\SlimDVD\vlc.exe --started-from-file --playlist-enqueue "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- C:\Program Files\VLC\SlimDVD\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" = C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2 -- (Adobe Systems Incorporated)

"C:\Program Files\Halo\halo.exe" = C:\Program Files\Halo\halo.exe:*:Disabled:Halo -- (Microsoft Corporation)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus / Vuze -- (Vuze Inc.)

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)

"C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe" = C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:*:Disabled:Crysis_32 -- (Crytek GmbH)

"C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe" = C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:*:Disabled:CrysisDedicatedServer_32 -- (Crytek GmbH)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"$NtUninstallMTF1011$" = Street-Ads Browser Enhancer

"$NtUninstallWTF1012$" = Sky-Banners browser enhancer

"{000E79B7-E725-4F01-870A-C12942B7F8E4}" = Crysis®

"{0134A1A1-C283-4A47-91A1-92F19F960372}" = Adobe Creative Suite 2

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data

"{084A9731-D05B-4ADA-B4A0-0ADD25FD7152}" = Splinter Cell Pandora Tomorrow

"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support

"{1028298A-31E5-4881-BF14-749E1822D95B}" = Desktop Notifier

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA

"{132CA5D9-C745-4B0B-A3B2-8C7A6EC3EE7E}" = Canon MF Toolbox 4.9.1.1.mf01

"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2

"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java 6 Update 15

"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com

"{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer

"{303379C9-8610-4CCF-AF37-C4BF8998C591}" = Roxio Media Manager

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{39930321-4C58-4B8B-BCBF-342698C9801D}" = Max Payne

"{3F873E63-1CA5-4bdb-A8C7-D97012496DE3}" = Canon MF6500 Series

"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker

"{44E75850-B838-43D2-8F37-84D3FB71FF6E}" = VGA Dual-Mode Camera

"{46548E80-0409-0000-7E8A-45000F855001}" = Adobe GoLive CS2

"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1

"{581CE7EA-A30D-F000-1211-088635773309}" = IEEE 802.11g USB Wireless LAN Adapter

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6C08753F-2A90-494A-BD09-E3F222B2BDCA}" = USB-IDE Bridge Driver

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{762AF025-5F67-4FBA-9410-87714793773D}" = BlackBerry v4.2.2 for the 8830 Series Wireless Device

"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{7F4C8163-F259-49A0-A018-2857A90578BC}" = Adobe InDesign CS2

"{7FC84AD6-D939-41A0-A3DF-FB9B511FF275}_is1" = Sothink SWF Catcher for Internet Explorer

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage

"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003

"{9E6FC409-8E34-471C-9AF0-951B958C221B}" = Encina DiscMaker

"{A174402A-2EE6-4B86-A930-7BC85A9933BD}" = Tom Clancy's Splinter Cell

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime

"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio Driver and Applications

"{A804B134-F03D-4EFD-9BC0-DCD257AA1B22}" = Hitman Blood Money

"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder

"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio

"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional

"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2

"{ADBE46EE-54E0-4610-B436-D7E93D829100}" = Adobe Version Cue CS2

"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}" = Suite Specific

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D1A9F6F0-E5EE-4801-8622-ABF420A2425A}" = Desktop Notifier

"{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}" = Far Cry

"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes

"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.0.9.322

"{DE7A46A8-D4DA-4EE0-AD6C-326049517BF2}" = BlackBerry Desktop Software 4.3

"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager

"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0

"{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}" = Adobe Stock Photos 1.0

"{EFE1AB94-5466-4B6E-BE31-FF4C115FD25D}" = Max Payne 2

"{FA0BBB87-91A1-4BFD-9005-EB058BBA0E14}_is1" = StreamTransport version: 1.0.2.1975

"7-Zip" = 7-Zip 4.65

"8461-7759-5462-8226" = Vuze

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"Adobe SVG Viewer" = Adobe SVG Viewer 3.0

"Advanced SystemCare 3_is1" = Advanced SystemCare 3

"Agere Systems Soft Modem" = Agere Systems AC'97 Modem

"ATI Display Driver" = ATI Display Driver

"BlackBerry_{DE7A46A8-D4DA-4EE0-AD6C-326049517BF2}" = BlackBerry Desktop Software 4.3

"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters

"Download Accelerator Plus (DAP)" = Download Accelerator Plus (DAP)

"DVD Shrink_is1" = DVD Shrink 3.2

"DVDFab 7_is1" = DVDFab 7.0.6.7 (30/05/2010)

"Halo" = Microsoft Halo

"HijackThis" = HijackThis 2.0.2

"Hitman 2: Silent Assassin" = Hitman 2: Silent Assassin

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ImgBurn" = ImgBurn

"InstallShield_{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer

"InstallShield_{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}" = Far Cry

"Magic ISO Maker v5.5 (build 0273)" = Magic ISO Maker v5.5 (build 0273)

"MagicDisc 2.7.106" = MagicDisc 2.7.106

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"mr97310v_d627f051ae9bfa697d2ded113879197412f3f2b1" = Windows Driver Package - Camera Maker (MR97310_VGA_DUAL_CAMERA) Image 03/30/2004 2.0.0.0

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"PowerISO" = PowerISO

"Presto! Mr.Photo 3" = Presto! Mr.Photo 3

"PROSet" = Intel® PRO Network Connections Drivers

"SpeedBit Video Downloader" = SpeedBit Video Downloader

"Ultimate Business Plan Starter" = Ultimate Business Plan Starter

"vcxyvcobktfktq" = Performance Platform Voguecash

"VLC media player" = VLC media player 0.9.8a

"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"XP Codec Pack" = XP Codec Pack

"ZoneAlarm Pro" = ZoneAlarm Pro

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 6/20/2010 5:32:41 PM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 6/20/2010 5:32:42 PM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 6/20/2010 7:33:20 PM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 6/20/2010 9:33:52 PM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 6/20/2010 11:34:59 PM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 6/21/2010 1:35:10 AM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 6/21/2010 3:35:23 AM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 6/21/2010 3:35:24 AM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 6/21/2010 2:56:58 PM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 6/21/2010 2:56:59 PM | Computer Name = ROB-CCA219EB460 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

[ Encina Events ]

Error - 4/17/2010 11:15:23 PM | Computer Name = ROB-CCA219EB460 | Source = Encina.Agents.ErrorHandlingAgent | ID = 0

Description = <Trace><Type>64</Type><PID>4684</PID><PNAME>Encina.MediaSuite</PNAME><TID>1</TID><Location>MediaSuite</Location><DeviceKey>BFEBFBFF00000F29</DeviceKey><Guid>fa82def4-c9a3-4a80-8307-35e3b9222127</Guid><Version>Encina.Framework,

Version=1.1.1133.0, Culture=neutral, PublicKeyToken=4c48cd680ce6e82a</Version><Tick>634071321220563750</Tick><Message>Exception

has been thrown by the target of an invocation.</Message></Trace>

[ System Events ]

Error - 6/20/2010 12:10:33 AM | Computer Name = ROB-CCA219EB460 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

IntelIde

Error - 6/20/2010 1:00:14 AM | Computer Name = ROB-CCA219EB460 | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 6/20/2010 1:00:38 AM | Computer Name = ROB-CCA219EB460 | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 6/20/2010 1:00:49 AM | Computer Name = ROB-CCA219EB460 | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 6/20/2010 1:01:26 AM | Computer Name = ROB-CCA219EB460 | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 6/20/2010 1:02:01 AM | Computer Name = ROB-CCA219EB460 | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 6/20/2010 1:02:11 AM | Computer Name = ROB-CCA219EB460 | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 6/20/2010 1:03:41 AM | Computer Name = ROB-CCA219EB460 | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 6/21/2010 2:56:07 PM | Computer Name = ROB-CCA219EB460 | Source = Service Control Manager | ID = 7000

Description = The USB-IDE Bridge service failed to start due to the following error:

%%1058

Error - 6/21/2010 2:57:30 PM | Computer Name = ROB-CCA219EB460 | Source = Windows Update Agent | ID = 16

Description = Unable to Connect: Windows is unable to connect to the automatic updates

service and therefore cannot download and install updates according to the set

schedule. Windows will continue to try to establish a connection.

< End of report >

GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-21 15:01:21

Windows 5.1.2600 Service Pack 3

Running: bl0v13q9.exe; Driver: C:\DOCUME~1\Rob\LOCALS~1\Temp\fglyqkow.sys

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\windows\system32\drivers\ACPIEC.sys entry point in ".rsrc" section [0xF79BF194]

---- User code sections - GMER 1.0.15 ----

.text C:\windows\Explorer.EXE[340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\windows\Explorer.EXE[340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A

.text C:\windows\Explorer.EXE[340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A90D480 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A90D2D0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A90D500 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A90D3E0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A90D2D0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A90D3C0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A90D420 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A90D400 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A90D3A0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A90D550 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A90D560 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A90D581 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A90D650 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A90D620 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A90D590 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A90D2E0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A90D270 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A90D2D0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A90D230 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[708] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A90D2B0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

.text C:\windows\System32\svchost.exe[1404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A

.text C:\windows\System32\svchost.exe[1404] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A

.text C:\windows\System32\svchost.exe[1404] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C

.text C:\windows\System32\svchost.exe[1404] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00FA000A

.text C:\windows\System32\svchost.exe[1404] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00B6000A

.text C:\windows\system32\wuauclt.exe[1932] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A

.text C:\windows\system32\wuauclt.exe[1932] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A

.text C:\windows\system32\wuauclt.exe[1932] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C0000C

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86EC5EC5

---- Files - GMER 1.0.15 ----

File C:\windows\system32\drivers\ACPIEC.sys suspicious modification

File C:\windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

MBAM Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/21/2010 4:03:33 PM

mbam-log-2010-06-21 (16-03-33).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|U:\|)

Objects scanned: 233644

Time elapsed: 46 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 14

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{3a69a58c-ea69-4552-bdb3-8c835f4807e2} (Adware.EZlife) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3a69a58c-ea69-4552-bdb3-8c835f4807e2} (Adware.EZlife) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3a69a58c-ea69-4552-bdb3-8c835f4807e2} (Adware.EZlife) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> No action taken.

HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> No action taken.

HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.

HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> No action taken.

HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> No action taken.

HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> No action taken.

HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> No action taken.

HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{452b0514-beb1-4e0e-9e03-9dc2c227bd42} (Adware.AdRotator) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{452b0514-beb1-4e0e-9e03-9dc2c227bd42} (Adware.AdRotator) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\gyuuv.dll (Adware.EZlife) -> No action taken.

C:\WINDOWS\system32\cyuuv.dll (Adware.AdRotator) -> No action taken.

Link to post
Share on other sites

Hello there,

Unfortunately you have a nasty rootkit there. Before starting to clean it, please consider the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi, Elise.

I did decide to try the ComboFix option for now. Here is the log:

ComboFix 10-06-22.02 - Rob 06/22/2010 12:12:07.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.622 [GMT -7:00]

Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Rob\Application Data\inst.exe

c:\documents and settings\Rob\Application Data\Sky-Banners

c:\documents and settings\Rob\Application Data\Sky-Banners\skb\log.xml

c:\documents and settings\Rob\Application Data\Street-Ads

c:\documents and settings\Rob\Local Settings\Application Data\{782B83DA-814E-46C7-8739-473536BB1E42}

c:\documents and settings\Rob\Local Settings\Application Data\{782B83DA-814E-46C7-8739-473536BB1E42}\chrome.manifest

c:\documents and settings\Rob\Local Settings\Application Data\{782B83DA-814E-46C7-8739-473536BB1E42}\chrome\content\_cfg.js

c:\documents and settings\Rob\Local Settings\Application Data\{782B83DA-814E-46C7-8739-473536BB1E42}\chrome\content\overlay.xul

c:\documents and settings\Rob\Local Settings\Application Data\{782B83DA-814E-46C7-8739-473536BB1E42}\install.rdf

c:\program files\$NtUninstallWTF1012$

c:\program files\$NtUninstallWTF1012$\elUninstall.exe

c:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll

c:\windows\$NtUninstallMTF1011$

c:\windows\$NtUninstallMTF1011$\apUninstall.exe

c:\windows\ijasudevibeb.dll

c:\windows\mdshol.dll

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\arttvriu.dll

c:\windows\system32\cyuuv.dll

c:\windows\system32\dumphive.exe

c:\windows\system32\gfbaksm.dat

c:\windows\system32\gfbaksm.dll

c:\windows\system32\gyUUv.dll

c:\windows\system32\hrskcdec.dll

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\tyuuv.exe

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\vcxyvcobktfktq.exe

c:\windows\system32\WS2Fix.exe

G:\autorun.inf

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected

Restored copy from - Kitty had a snack :welcome:

.

((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))

.

2010-06-22 01:57 . 2010-06-22 01:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-06-19 04:17 . 2010-06-22 01:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-19 03:12 . 2010-06-21 07:29 0 ----a-w- c:\windows\Rxesalifipulukel.bin

2010-06-19 03:12 . 2010-06-22 02:39 120 ----a-w- c:\windows\Jqoqokezezocohof.dat

2010-06-19 03:10 . 2010-06-19 05:12 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\ibyavpydp

2010-06-17 01:01 . 2010-06-17 01:01 95744 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\SDCondition.dll

2010-06-17 00:33 . 2010-06-17 00:33 -------- d-----w- c:\documents and settings\Rob\Application Data\Free AVI MPEG WMV MP4 FLV Video Joiner

2010-06-16 23:10 . 2010-06-16 23:10 3509272 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Offers\VA31_DapSo.exe

2010-06-16 21:11 . 2010-06-16 23:11 -------- d-----w- c:\program files\Download Accelerator Plus

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\documents and settings\Rob\Application Data\Toolbar4

2010-06-16 21:11 . 2010-06-16 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\program files\SearchPredict

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\program files\SpeedBit Video Downloader

2010-06-14 00:54 . 2010-06-14 00:54 -------- d-----w- c:\program files\StreamTransport

2010-06-13 21:45 . 2010-06-13 21:45 -------- d-----w- c:\documents and settings\Rob\Application Data\Moyea

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- C:\tmpDownload

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- C:\Download

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\PCHealth

2010-06-13 06:32 . 2010-06-14 00:53 -------- d-----w- c:\program files\YouTube Music Downloader

2010-06-13 06:24 . 2010-06-13 22:09 -------- d-----w- c:\program files\Hulu Downloader

2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\uxvaloyi.exe

2010-05-24 16:05 . 2010-05-24 16:04 1145856 ----a-w- C:\Winphlash1656.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-20 07:13 . 2009-09-16 03:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-17 21:44 . 2009-02-15 23:08 -------- d-----w- c:\program files\Vuze

2010-06-17 21:41 . 2009-02-15 23:09 -------- d-----w- c:\documents and settings\Rob\Application Data\Azureus

2010-06-14 06:39 . 2010-04-17 04:21 -------- d-----w- c:\documents and settings\Rob\Application Data\Vso

2010-06-14 06:27 . 2010-04-18 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2010-06-13 20:00 . 2010-03-07 02:41 -------- d-----w- c:\program files\Advanced SystemCare 3

2010-06-13 05:24 . 2010-03-19 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-06-09 20:11 . 2010-03-03 23:47 -------- d-----w- c:\documents and settings\Rob\Application Data\ImgBurn

2010-06-08 14:51 . 2010-06-08 14:51 40629 ----a-w- c:\windows\system32\khtei.exe

2010-06-06 07:53 . 2010-06-06 07:53 -------- d-----w- c:\program files\DVDFab 7

2010-06-04 20:03 . 2010-06-04 20:03 14699 ----a-w- c:\windows\unins000.dat

2010-06-04 20:03 . 2010-06-04 20:03 -------- d-----w- c:\program files\Common Files\SourceTec

2010-06-04 20:02 . 2010-06-04 20:03 695642 ----a-w- c:\windows\unins000.exe

2010-06-04 18:26 . 2010-06-04 18:25 -------- d-----w- c:\program files\SWF Picture Extractor

2010-05-19 20:36 . 2008-08-11 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-12 23:23 . 2008-08-11 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-12 18:30 . 2008-10-28 20:07 -------- d-----w- c:\documents and settings\Rob\Application Data\U3

2010-05-12 00:23 . 2010-05-11 23:25 -------- d-----w- c:\program files\CaptureFlash

2010-05-10 06:26 . 2010-04-17 23:47 -------- d-----w- c:\program files\ConvertXtoDVD

2010-05-09 04:22 . 2010-05-09 02:52 -------- d-----w- c:\program files\Spyware Doctor

2010-05-09 03:47 . 2009-12-17 23:06 -------- d-----w- c:\program files\NOS

2010-05-09 03:10 . 2010-05-09 02:52 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-04 17:20 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-30 22:40 . 2009-12-17 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-04-30 22:36 . 2010-04-30 22:36 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-04-29 22:39 . 2008-08-11 23:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2008-08-11 23:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-19 01:02 . 2010-04-19 01:02 466136 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\documents and settings\Rob\Application Data\pcouffin.sys

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\documents and settings\Rob\Application Data\pcouffin.sys

2010-04-16 23:25 . 2010-04-16 23:22 90112 ----a-w- c:\windows\system32\videoul.tmp

.

((((((((((((((((((((((((((((( SnapShot@2010-05-12_22.36.41 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-22 19:10 . 2010-06-22 19:10 16384 c:\windows\temp\Perflib_Perfdata_634.dat

- 2007-07-18 12:42 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe

+ 2007-07-18 12:42 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe

+ 2006-03-04 03:33 . 2010-05-04 17:20 44544 c:\windows\system32\pngfilt.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 44544 c:\windows\system32\pngfilt.dll

- 2004-08-04 10:00 . 2010-04-12 20:17 73088 c:\windows\system32\perfc009.dat

+ 2004-08-04 10:00 . 2010-06-22 19:00 73088 c:\windows\system32\perfc009.dat

+ 2007-08-14 02:54 . 2010-05-04 17:20 52224 c:\windows\system32\msfeedsbs.dll

- 2007-08-14 02:54 . 2010-03-11 12:38 52224 c:\windows\system32\msfeedsbs.dll

- 2007-11-30 02:18 . 2008-03-15 06:31 98304 c:\windows\system32\Macromed\Shockwave 10\SwOnce.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 98304 c:\windows\system32\Macromed\Shockwave 10\SwOnce.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 86016 c:\windows\system32\Macromed\Shockwave 10\SwMenuX.dll

- 2008-05-15 18:19 . 2008-03-15 18:38 86016 c:\windows\system32\Macromed\Shockwave 10\SwMenuX.dll

- 2007-11-30 02:18 . 2008-03-15 06:31 77824 c:\windows\system32\Macromed\Shockwave 10\SwInit.exe

+ 2010-04-29 10:10 . 2010-04-29 10:10 77824 c:\windows\system32\Macromed\Shockwave 10\SwInit.exe

+ 2010-04-29 10:10 . 2010-04-29 10:10 79488 c:\windows\system32\Macromed\Shockwave 10\gtapi.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 24576 c:\windows\system32\Macromed\Shockwave 10\DynaPlayer.dll

- 2007-11-30 02:18 . 2008-03-15 06:29 24576 c:\windows\system32\Macromed\Shockwave 10\DynaPlayer.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 27648 c:\windows\system32\jsproxy.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 27648 c:\windows\system32\jsproxy.dll

+ 2003-01-05 05:09 . 2006-04-01 05:33 23040 c:\windows\system32\IntelNic.dll

+ 2007-08-14 02:39 . 2010-05-04 12:39 13824 c:\windows\system32\ieudinit.exe

- 2007-08-14 02:39 . 2010-03-10 13:18 13824 c:\windows\system32\ieudinit.exe

- 2004-08-04 10:00 . 2010-03-11 12:38 44544 c:\windows\system32\iernonce.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 44544 c:\windows\system32\iernonce.dll

- 2004-08-04 10:00 . 2010-03-10 13:18 70656 c:\windows\system32\ie4uinit.exe

+ 2004-08-04 10:00 . 2010-05-04 12:39 70656 c:\windows\system32\ie4uinit.exe

- 2007-08-14 02:36 . 2010-03-11 12:38 63488 c:\windows\system32\icardie.dll

+ 2007-08-14 02:36 . 2010-05-04 17:20 63488 c:\windows\system32\icardie.dll

+ 2003-01-05 05:09 . 2006-04-01 05:33 17408 c:\windows\system32\EtCoInst.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 44544 c:\windows\system32\dllcache\pngfilt.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\pngfilt.dll

- 2007-11-29 23:34 . 2010-03-11 12:38 52224 c:\windows\system32\dllcache\msfeedsbs.dll

+ 2007-11-29 23:34 . 2010-05-04 17:20 52224 c:\windows\system32\dllcache\msfeedsbs.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 27648 c:\windows\system32\dllcache\jsproxy.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 27648 c:\windows\system32\dllcache\jsproxy.dll

- 2007-11-29 23:34 . 2010-03-10 13:18 13824 c:\windows\system32\dllcache\ieudinit.exe

+ 2007-11-29 23:34 . 2010-05-04 12:39 13824 c:\windows\system32\dllcache\ieudinit.exe

+ 2004-08-04 10:00 . 2010-05-04 17:20 44544 c:\windows\system32\dllcache\iernonce.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\iernonce.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 78336 c:\windows\system32\dllcache\ieencode.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 78336 c:\windows\system32\dllcache\ieencode.dll

- 2004-08-04 10:00 . 2010-03-10 13:18 70656 c:\windows\system32\dllcache\ie4uinit.exe

+ 2004-08-04 10:00 . 2010-05-04 12:39 70656 c:\windows\system32\dllcache\ie4uinit.exe

+ 2007-11-29 23:34 . 2010-05-04 17:20 63488 c:\windows\system32\dllcache\icardie.dll

- 2007-11-29 23:34 . 2010-03-11 12:38 63488 c:\windows\system32\dllcache\icardie.dll

- 2009-06-29 16:12 . 2010-03-11 12:38 17408 c:\windows\system32\dllcache\corpol.dll

+ 2009-06-29 16:12 . 2010-05-04 17:20 17408 c:\windows\system32\dllcache\corpol.dll

+ 2010-03-05 14:37 . 2010-03-05 14:37 65536 c:\windows\system32\dllcache\asycfilt.dll

+ 2007-11-28 03:16 . 2010-06-21 22:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2007-11-28 03:16 . 2008-09-13 18:44 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2007-11-28 03:16 . 2010-06-21 22:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2007-11-28 03:16 . 2008-09-13 18:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-06-22 01:57 . 2010-06-21 22:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2007-11-28 03:16 . 2008-09-13 18:44 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2004-08-04 10:00 . 2010-03-05 14:37 65536 c:\windows\system32\asycfilt.dll

+ 2010-06-10 06:19 . 2010-06-10 06:19 87702 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

+ 2010-05-05 14:05 . 2010-05-05 14:05 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll

- 2008-05-14 19:55 . 2009-01-17 03:16 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll

+ 2010-04-29 10:11 . 2010-04-29 10:11 79488 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll

+ 2010-05-05 14:38 . 2010-05-05 14:38 65816 c:\windows\system32\Adobe\Director\SWDNLD.EXE

+ 2009-12-22 04:09 . 2009-12-22 04:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll

+ 2009-12-22 09:57 . 2009-12-22 09:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe

+ 2009-12-22 04:02 . 2009-12-22 04:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll

+ 2009-12-22 07:21 . 2009-12-22 07:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe

+ 2009-12-22 07:37 . 2009-12-22 07:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe

+ 2009-12-22 02:39 . 2009-12-22 02:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe

+ 2009-12-22 02:27 . 2009-12-22 02:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll

+ 2009-12-22 02:27 . 2009-12-22 02:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 44544 c:\windows\ie7updates\KB982381-IE7\pngfilt.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 52224 c:\windows\ie7updates\KB982381-IE7\msfeedsbs.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 27648 c:\windows\ie7updates\KB982381-IE7\jsproxy.dll

+ 2010-06-12 20:43 . 2010-03-10 13:18 13824 c:\windows\ie7updates\KB982381-IE7\ieudinit.exe

+ 2010-06-12 20:43 . 2010-03-11 12:38 44544 c:\windows\ie7updates\KB982381-IE7\iernonce.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 78336 c:\windows\ie7updates\KB982381-IE7\ieencode.dll

+ 2010-06-12 20:44 . 2010-03-10 13:18 70656 c:\windows\ie7updates\KB982381-IE7\ie4uinit.exe

+ 2010-06-12 20:44 . 2010-03-11 12:38 63488 c:\windows\ie7updates\KB982381-IE7\icardie.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 17408 c:\windows\ie7updates\KB982381-IE7\corpol.dll

+ 2010-05-05 14:07 . 2010-05-05 14:07 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll

- 2008-05-14 19:55 . 2009-01-17 03:17 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll

+ 2010-02-20 10:52 . 2010-02-20 10:52 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll

- 2010-01-26 05:18 . 2010-01-26 05:18 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 233472 c:\windows\system32\webcheck.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 233472 c:\windows\system32\webcheck.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 105984 c:\windows\system32\url.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 105984 c:\windows\system32\url.dll

+ 2003-01-05 05:09 . 2006-04-01 05:33 126976 c:\windows\system32\Prounstl.exe

+ 2004-08-04 10:00 . 2010-06-22 19:00 446154 c:\windows\system32\perfh009.dat

- 2004-08-04 10:00 . 2010-04-12 20:17 446154 c:\windows\system32\perfh009.dat

- 2004-08-04 10:00 . 2010-03-11 12:38 102912 c:\windows\system32\occache.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 102912 c:\windows\system32\occache.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 671232 c:\windows\system32\mstime.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 671232 c:\windows\system32\mstime.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 193024 c:\windows\system32\msrating.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 193024 c:\windows\system32\msrating.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 477696 c:\windows\system32\mshtmled.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 477696 c:\windows\system32\mshtmled.dll

- 2007-08-14 02:54 . 2010-03-11 12:38 459264 c:\windows\system32\msfeeds.dll

+ 2007-08-14 02:54 . 2010-05-04 17:20 459264 c:\windows\system32\msfeeds.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 136568 c:\windows\system32\Macromed\Shockwave 10\SYMCCHECKER.DLL

- 2007-11-30 02:18 . 2008-03-15 06:21 180224 c:\windows\system32\Macromed\Shockwave 10\Proj.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 180224 c:\windows\system32\Macromed\Shockwave 10\Proj.dll

- 2007-11-30 02:18 . 2008-03-15 06:28 475136 c:\windows\system32\Macromed\Shockwave 10\PluginPing.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 475136 c:\windows\system32\Macromed\Shockwave 10\PluginPing.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 339968 c:\windows\system32\Macromed\Shockwave 10\Plugin.dll

- 2007-11-30 02:18 . 2008-03-15 06:28 339968 c:\windows\system32\Macromed\Shockwave 10\Plugin.dll

+ 2010-04-29 10:11 . 2010-04-29 10:11 606208 c:\windows\system32\Macromed\Shockwave 10\iml32X.dll

- 2008-05-15 18:19 . 2008-03-15 06:10 606208 c:\windows\system32\Macromed\Shockwave 10\iml32X.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 753152 c:\windows\system32\Macromed\Shockwave 10\gi.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 471040 c:\windows\system32\Macromed\Shockwave 10\Control.dll

- 2007-08-14 02:34 . 2010-03-11 12:38 268288 c:\windows\system32\iertutil.dll

+ 2007-08-14 02:34 . 2010-05-04 17:20 268288 c:\windows\system32\iertutil.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 192512 c:\windows\system32\iepeers.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 192512 c:\windows\system32\iepeers.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 385024 c:\windows\system32\iedkcs32.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 385024 c:\windows\system32\iedkcs32.dll

- 2007-07-11 20:27 . 2010-03-11 12:38 380928 c:\windows\system32\ieapfltr.dll

+ 2007-07-11 20:27 . 2010-05-04 17:20 380928 c:\windows\system32\ieapfltr.dll

+ 2004-08-04 10:00 . 2010-04-16 11:43 161792 c:\windows\system32\ieakui.dll

- 2004-08-04 10:00 . 2010-02-23 05:18 161792 c:\windows\system32\ieakui.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 230400 c:\windows\system32\ieaksie.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 230400 c:\windows\system32\ieaksie.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 153088 c:\windows\system32\ieakeng.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 153088 c:\windows\system32\ieakeng.dll

- 2007-11-27 18:49 . 2010-03-03 00:05 525568 c:\windows\system32\FNTCACHE.DAT

+ 2007-11-27 18:49 . 2010-06-12 23:48 525568 c:\windows\system32\FNTCACHE.DAT

+ 2006-03-04 03:33 . 2010-05-04 17:20 133120 c:\windows\system32\extmgr.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 133120 c:\windows\system32\extmgr.dll

+ 2003-01-05 05:09 . 2006-04-01 05:33 163840 c:\windows\system32\e1000msg.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 214528 c:\windows\system32\dxtrans.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 214528 c:\windows\system32\dxtrans.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 347136 c:\windows\system32\dxtmsft.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 347136 c:\windows\system32\dxtmsft.dll

+ 2003-01-05 05:09 . 2006-04-01 05:33 177152 c:\windows\system32\drivers\e1000325.sys

- 2006-03-04 03:33 . 2010-03-11 12:38 832512 c:\windows\system32\dllcache\wininet.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 832512 c:\windows\system32\dllcache\wininet.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 233472 c:\windows\system32\dllcache\webcheck.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 233472 c:\windows\system32\dllcache\webcheck.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 105984 c:\windows\system32\dllcache\url.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 105984 c:\windows\system32\dllcache\url.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 102912 c:\windows\system32\dllcache\occache.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 102912 c:\windows\system32\dllcache\occache.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 671232 c:\windows\system32\dllcache\mstime.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 671232 c:\windows\system32\dllcache\mstime.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 193024 c:\windows\system32\dllcache\msrating.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 193024 c:\windows\system32\dllcache\msrating.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 477696 c:\windows\system32\dllcache\mshtmled.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 477696 c:\windows\system32\dllcache\mshtmled.dll

+ 2007-11-29 23:34 . 2010-05-04 17:20 459264 c:\windows\system32\dllcache\msfeeds.dll

- 2007-11-29 23:34 . 2010-03-11 12:38 459264 c:\windows\system32\dllcache\msfeeds.dll

+ 2007-11-28 03:02 . 2010-04-16 11:43 634656 c:\windows\system32\dllcache\iexplore.exe

- 2007-11-29 23:34 . 2010-03-11 12:38 268288 c:\windows\system32\dllcache\iertutil.dll

+ 2007-11-29 23:34 . 2010-05-04 17:20 268288 c:\windows\system32\dllcache\iertutil.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 192512 c:\windows\system32\dllcache\iepeers.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 192512 c:\windows\system32\dllcache\iepeers.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 385024 c:\windows\system32\dllcache\iedkcs32.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 385024 c:\windows\system32\dllcache\iedkcs32.dll

+ 2007-11-29 23:34 . 2010-05-04 17:20 380928 c:\windows\system32\dllcache\ieapfltr.dll

- 2007-11-29 23:34 . 2010-03-11 12:38 380928 c:\windows\system32\dllcache\ieapfltr.dll

+ 2004-08-04 10:00 . 2010-04-16 11:43 161792 c:\windows\system32\dllcache\ieakui.dll

- 2004-08-04 10:00 . 2010-02-23 05:18 161792 c:\windows\system32\dllcache\ieakui.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 230400 c:\windows\system32\dllcache\ieaksie.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 230400 c:\windows\system32\dllcache\ieaksie.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 153088 c:\windows\system32\dllcache\ieakeng.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 153088 c:\windows\system32\dllcache\ieakeng.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 133120 c:\windows\system32\dllcache\extmgr.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 133120 c:\windows\system32\dllcache\extmgr.dll

+ 2006-03-04 03:33 . 2010-05-04 17:20 214528 c:\windows\system32\dllcache\dxtrans.dll

- 2006-03-04 03:33 . 2010-03-11 12:38 214528 c:\windows\system32\dllcache\dxtrans.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 347136 c:\windows\system32\dllcache\dxtmsft.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 347136 c:\windows\system32\dllcache\dxtmsft.dll

+ 2010-04-20 05:30 . 2010-04-20 05:30 285696 c:\windows\system32\dllcache\atmfd.dll

+ 2007-11-28 03:48 . 2008-04-13 16:39 142592 c:\windows\system32\dllcache\aec.sys

- 2004-08-04 10:00 . 2010-03-11 12:38 124928 c:\windows\system32\dllcache\advpack.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 124928 c:\windows\system32\dllcache\advpack.dll

- 2004-08-04 10:00 . 2010-03-11 12:38 124928 c:\windows\system32\advpack.dll

+ 2004-08-04 10:00 . 2010-05-04 17:20 124928 c:\windows\system32\advpack.dll

+ 2010-04-29 10:11 . 2010-04-29 10:11 136568 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL

- 2008-05-14 19:55 . 2009-01-17 03:16 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe

+ 2010-05-05 14:05 . 2010-05-05 14:05 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe

+ 2010-05-05 14:36 . 2010-05-05 14:36 467224 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1157609.exe

- 2008-05-14 19:55 . 2009-01-17 03:18 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll

+ 2010-05-05 14:08 . 2010-05-05 14:08 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll

+ 2010-05-05 14:06 . 2010-05-05 14:06 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll

+ 2010-04-29 10:11 . 2010-04-29 10:11 753152 c:\windows\system32\Adobe\Shockwave 11\gi.dll

+ 2010-05-05 14:05 . 2010-05-05 14:05 503808 c:\windows\system32\Adobe\Shockwave 11\Control.dll

+ 2010-05-05 14:37 . 2010-05-05 14:37 213272 c:\windows\system32\Adobe\Director\SwDir.dll

+ 2010-05-05 14:07 . 2010-05-05 14:07 131072 c:\windows\system32\Adobe\Director\np32dsw.dll

+ 2009-12-22 02:35 . 2009-12-22 02:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll

+ 2009-12-22 04:05 . 2009-12-22 04:05 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe

+ 2009-12-22 02:34 . 2009-12-22 02:34 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll

+ 2009-11-10 03:18 . 2009-11-10 03:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll

+ 2009-12-22 04:02 . 2009-12-22 04:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe

+ 2009-12-22 02:43 . 2009-12-22 02:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll

+ 2009-12-22 09:57 . 2009-12-22 09:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe

+ 2009-12-22 02:15 . 2009-12-22 02:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll

+ 2009-12-22 03:32 . 2009-12-22 03:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe

+ 2009-12-22 03:15 . 2009-12-22 03:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe

+ 2010-06-12 20:43 . 2010-03-11 12:38 832512 c:\windows\ie7updates\KB982381-IE7\wininet.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 233472 c:\windows\ie7updates\KB982381-IE7\webcheck.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 105984 c:\windows\ie7updates\KB982381-IE7\url.dll

+ 2010-06-12 20:44 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB982381-IE7\spuninst\updspapi.dll

+ 2010-06-12 20:44 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB982381-IE7\spuninst\spuninst.exe

+ 2010-06-12 20:43 . 2010-03-11 12:38 102912 c:\windows\ie7updates\KB982381-IE7\occache.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 671232 c:\windows\ie7updates\KB982381-IE7\mstime.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 193024 c:\windows\ie7updates\KB982381-IE7\msrating.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 477696 c:\windows\ie7updates\KB982381-IE7\mshtmled.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 459264 c:\windows\ie7updates\KB982381-IE7\msfeeds.dll

+ 2010-06-12 20:44 . 2010-02-23 05:20 634648 c:\windows\ie7updates\KB982381-IE7\iexplore.exe

+ 2010-06-12 20:43 . 2010-03-11 12:38 268288 c:\windows\ie7updates\KB982381-IE7\iertutil.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 192512 c:\windows\ie7updates\KB982381-IE7\iepeers.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 385024 c:\windows\ie7updates\KB982381-IE7\iedkcs32.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 380928 c:\windows\ie7updates\KB982381-IE7\ieapfltr.dll

+ 2010-06-12 20:44 . 2010-02-23 05:18 161792 c:\windows\ie7updates\KB982381-IE7\ieakui.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 230400 c:\windows\ie7updates\KB982381-IE7\ieaksie.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 153088 c:\windows\ie7updates\KB982381-IE7\ieakeng.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 133120 c:\windows\ie7updates\KB982381-IE7\extmgr.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 214528 c:\windows\ie7updates\KB982381-IE7\dxtrans.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 347136 c:\windows\ie7updates\KB982381-IE7\dxtmsft.dll

+ 2010-06-12 20:44 . 2010-03-11 12:38 124928 c:\windows\ie7updates\KB982381-IE7\advpack.dll

+ 2010-02-20 10:53 . 2010-02-20 10:53 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll

- 2010-01-26 05:18 . 2010-01-26 05:18 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll

- 2010-01-26 05:18 . 2010-01-26 05:18 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll

+ 2010-02-20 10:53 . 2010-02-20 10:53 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll

+ 2004-08-04 10:00 . 2010-04-06 11:52 2462720 c:\windows\system32\WMVCore.dll

+ 2006-03-18 11:09 . 2010-05-04 17:20 1168384 c:\windows\system32\urlmon.dll

- 2006-03-18 11:09 . 2010-03-11 12:38 1168384 c:\windows\system32\urlmon.dll

+ 2007-12-07 05:43 . 2010-06-13 19:41 2083000 c:\windows\system32\Restore\rstrlog.dat

+ 2004-08-04 10:00 . 2010-02-05 18:27 1291776 c:\windows\system32\quartz.dll

- 2004-08-04 10:00 . 2009-11-27 17:11 1291776 c:\windows\system32\quartz.dll

+ 2006-03-23 17:32 . 2010-05-04 17:20 3600384 c:\windows\system32\mshtml.dll

+ 2010-04-29 10:10 . 2010-04-29 10:10 1975408 c:\windows\system32\Macromed\Shockwave 10\gt.exe

- 2008-05-15 18:19 . 2008-03-15 06:12 1490944 c:\windows\system32\Macromed\Shockwave 10\dirapiX.dll

+ 2010-04-29 10:11 . 2010-04-29 10:11 1490944 c:\windows\system32\Macromed\Shockwave 10\dirapiX.dll

- 2007-08-14 02:54 . 2010-03-11 12:38 6067200 c:\windows\system32\ieframe.dll

+ 2007-08-14 02:54 . 2010-05-04 17:20 6067200 c:\windows\system32\ieframe.dll

+ 2004-08-04 10:00 . 2010-04-06 11:52 2462720 c:\windows\system32\dllcache\WMVCore.dll

+ 2008-10-14 17:15 . 2010-05-02 05:22 1851264 c:\windows\system32\dllcache\win32k.sys

- 2006-03-18 11:09 . 2010-03-11 12:38 1168384 c:\windows\system32\dllcache\urlmon.dll

+ 2006-03-18 11:09 . 2010-05-04 17:20 1168384 c:\windows\system32\dllcache\urlmon.dll

- 2008-05-07 05:12 . 2009-11-27 17:11 1291776 c:\windows\system32\dllcache\quartz.dll

+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 c:\windows\system32\dllcache\quartz.dll

+ 2006-03-23 17:32 . 2010-05-04 17:20 3600384 c:\windows\system32\dllcache\mshtml.dll

- 2007-11-29 23:34 . 2010-03-11 12:38 6067200 c:\windows\system32\dllcache\ieframe.dll

+ 2007-11-29 23:34 . 2010-05-04 17:20 6067200 c:\windows\system32\dllcache\ieframe.dll

+ 2010-05-05 13:40 . 2010-05-05 13:40 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll

+ 2010-04-29 10:11 . 2010-04-29 10:11 1975408 c:\windows\system32\Adobe\Shockwave 11\gt.exe

+ 2010-05-05 13:44 . 2010-05-05 13:44 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll

- 2008-05-14 19:55 . 2009-01-17 02:58 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll

+ 2010-06-09 00:44 . 2010-06-09 00:44 3940352 c:\windows\Installer\de7c90d.msi

+ 2009-12-22 02:29 . 2009-12-22 02:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll

+ 2009-10-28 04:34 . 2009-10-28 04:34 5009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\authplay.dll

+ 2009-12-22 07:31 . 2009-12-22 07:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 1168384 c:\windows\ie7updates\KB982381-IE7\urlmon.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 3599872 c:\windows\ie7updates\KB982381-IE7\mshtml.dll

+ 2010-06-12 20:43 . 2010-03-11 12:38 6067200 c:\windows\ie7updates\KB982381-IE7\ieframe.dll

+ 2007-11-29 02:26 . 2010-05-28 19:37 32472008 c:\windows\system32\MRT.exe

+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\de7c90e.msp

+ 2009-12-22 07:21 . 2009-12-22 07:21 20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3017FB3E-9A77-4396-88C5-0EC9548FB42F}]

2010-06-16 21:11 2447360 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StacSysTray"="c:\program files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 102400]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

IEEE 802.11g USB Wireless LAN Utility.lnk - c:\program files\Wireless LAN\WLanUtil.exe [2007-11-27 393216]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]

2005-04-05 02:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2007-03-29 22:41 222128 ----a-w- c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-17 17:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]

2009-09-26 07:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 23:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-11-30 06:12 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wben]

2009-06-25 21:30 338456 ----a-w- c:\program files\Starfield\Desktop Notifier\wben.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"c:\\Program Files\\Halo\\halo.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]

S0 efyosqni;efyosqni; [x]

S2 SigService;Sigmatel Service;c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [11/27/2007 8:49 PM 81920]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/11/2008 4:37 PM 38224]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 11:29 AM 118106]

S3 pnicml;pnicml;\??\c:\docume~1\Rob\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Rob\LOCALS~1\Temp\pnicml.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-06-22 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: &Clean Traces - c:\program files\Download Accelerator Plus\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\Download Accelerator Plus\dapextie.htm

IE: Download &all with DAP - c:\program files\Download Accelerator Plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uficofezipahal - c:\windows\mdshol.dll

HKLM-Run-skb - gyuuv.dll

HKLM-Run-MChk - c:\windows\system32\tyuuv.exe

HKLM-Run-Fbijijamehigatag - c:\windows\ijasudevibeb.dll

AddRemove-$NtUninstallMTF1011$ - c:\windows\$NtUninstallMTF1011$\apUninstall.exe

AddRemove-$NtUninstallWTF1012$ - c:\program files\$NtUninstallWTF1012$\elUninstall.exe

AddRemove-vcxyvcobktfktq - c:\windows\system32\vcxyvcobktfktq.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-22 12:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EAEEC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7605f28

\Driver\ACPI -> ACPI.sys @ 0xf7558cb8

\Driver\atapi -> atapi.sys @ 0xf74cc852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

NDIS: Wireless-G PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7397bb0

PacketIndicateHandler -> NDIS.sys @ 0xf73a4a21

SendHandler -> NDIS.sys @ 0xf738287b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c0,e0,d6,b4,b9,a1,21,c7,f5,b5,bc,c5,9c,55,e8,60,9d,3f,ce,d0,10,24,71,

30,0a,f7,e7,0c,f5,a5,a1,d0,da,3d,75,c8,97,9d,91,8a,77,88,6e,b4,6a,66,9c,b3,\

"??"=hex:59,52,4d,96,40,27,6e,8f,7c,35,3d,81,cd,0f,89,4c

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:c2,1e,91,d7,9c,ef,c0,ad,7f,a9,be,b9,ef,ec,85,23,86,18,f1,f2,41,

6c,29,51,55,a2,cd,23,74,8d,c0,a9,68,0c,02,cf,15,85,69,26,eb,9d,4f,2c,a3,09,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1016)

c:\windows\system32\WININET.dll

.

Completion time: 2010-06-22 12:27:02

ComboFix-quarantined-files.txt 2010-06-22 19:26

ComboFix2.txt 2010-05-12 22:39

Pre-Run: 11,507,937,280 bytes free

Post-Run: 12,893,736,960 bytes free

- - End Of File - - 0284832B0AF40731C65C844CAAC7F227

Here is the MBAM log from running a completee scan right after the ComboFix. MBAM still found two reg keys to delete. The G: drive results are false positives.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/22/2010 3:28:41 PM

mbam-log-2010-06-22 (15-28-41).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|U:\|)

Objects scanned: 342029

Time elapsed: 1 hour(s), 11 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

G:\

G:\

G:\

What should I do now? Is it true that the PRO version of MBAM would have prevented this virus from even loading in the first place?

Thanks, again.

Link to post
Share on other sites

Hi, Elise.

A quick update. My computer is still shoeing infected files and still has the pop-ups and re-directs. As you can see from the ComboFix log below, I am not able to get the Microsoft Recovery Console to download when ComboFix attempts it. My ERROR states, "Boot Partition cannot be enumerated correctly."

Is there another way to get that or another program which may fix this virus?

Thanks.

ComboFix Log:

ComboFix 10-06-22.02 - Rob 06/22/2010 22:53:23.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.626 [GMT -7:00]

Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\ACPIEC.sys was found and disinfected

Restored copy from - Kitty had a snack :welcome:

.

((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))

.

2010-06-22 01:57 . 2010-06-22 01:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-06-19 04:17 . 2010-06-22 01:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-19 03:12 . 2010-06-21 07:29 0 ----a-w- c:\windows\Rxesalifipulukel.bin

2010-06-19 03:12 . 2010-06-22 02:39 120 ----a-w- c:\windows\Jqoqokezezocohof.dat

2010-06-19 03:10 . 2010-06-19 05:12 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\ibyavpydp

2010-06-17 01:01 . 2010-06-17 01:01 95744 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\SDCondition.dll

2010-06-17 00:33 . 2010-06-17 00:33 -------- d-----w- c:\documents and settings\Rob\Application Data\Free AVI MPEG WMV MP4 FLV Video Joiner

2010-06-16 23:10 . 2010-06-16 23:10 3509272 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Offers\VA31_DapSo.exe

2010-06-16 21:11 . 2010-06-16 23:11 -------- d-----w- c:\program files\Download Accelerator Plus

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\documents and settings\Rob\Application Data\Toolbar4

2010-06-16 21:11 . 2010-06-16 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\program files\SearchPredict

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\program files\SpeedBit Video Downloader

2010-06-14 00:54 . 2010-06-14 00:54 -------- d-----w- c:\program files\StreamTransport

2010-06-13 21:45 . 2010-06-13 21:45 -------- d-----w- c:\documents and settings\Rob\Application Data\Moyea

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- C:\tmpDownload

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- C:\Download

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\PCHealth

2010-06-13 06:32 . 2010-06-14 00:53 -------- d-----w- c:\program files\YouTube Music Downloader

2010-06-13 06:24 . 2010-06-13 22:09 -------- d-----w- c:\program files\Hulu Downloader

2010-06-06 07:53 . 2010-06-06 07:53 -------- d-----w- c:\program files\DVDFab 7

2010-06-04 20:03 . 2010-06-04 20:03 -------- d-----w- c:\program files\Common Files\SourceTec

2010-06-04 20:03 . 2010-06-04 20:03 14699 ----a-w- c:\windows\unins000.dat

2010-06-04 20:03 . 2010-06-04 20:02 695642 ----a-w- c:\windows\unins000.exe

2010-06-04 18:25 . 2010-06-04 18:26 -------- d-----w- c:\program files\SWF Picture Extractor

2010-06-03 23:21 . 2010-06-12 20:56 -------- d-sh--w- c:\windows\Installer

2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\uxvaloyi.exe

2010-05-24 16:05 . 2010-05-24 16:04 1145856 ----a-w- C:\Winphlash1656.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-20 07:13 . 2009-09-16 03:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-17 21:44 . 2009-02-15 23:08 -------- d-----w- c:\program files\Vuze

2010-06-17 21:41 . 2009-02-15 23:09 -------- d-----w- c:\documents and settings\Rob\Application Data\Azureus

2010-06-14 06:39 . 2010-04-17 04:21 -------- d-----w- c:\documents and settings\Rob\Application Data\Vso

2010-06-14 06:27 . 2010-04-18 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2010-06-13 20:00 . 2010-03-07 02:41 -------- d-----w- c:\program files\Advanced SystemCare 3

2010-06-13 05:24 . 2010-03-19 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-06-09 20:11 . 2010-03-03 23:47 -------- d-----w- c:\documents and settings\Rob\Application Data\ImgBurn

2010-05-19 20:36 . 2008-08-11 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-12 23:23 . 2008-08-11 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-12 18:30 . 2008-10-28 20:07 -------- d-----w- c:\documents and settings\Rob\Application Data\U3

2010-05-12 00:23 . 2010-05-11 23:25 -------- d-----w- c:\program files\CaptureFlash

2010-05-10 06:26 . 2010-04-17 23:47 -------- d-----w- c:\program files\ConvertXtoDVD

2010-05-09 04:22 . 2010-05-09 02:52 -------- d-----w- c:\program files\Spyware Doctor

2010-05-09 03:47 . 2009-12-17 23:06 -------- d-----w- c:\program files\NOS

2010-05-09 03:10 . 2010-05-09 02:52 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-04 17:20 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-30 22:40 . 2009-12-17 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-04-30 22:36 . 2010-04-30 22:36 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-04-29 22:39 . 2008-08-11 23:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2008-08-11 23:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-19 01:02 . 2010-04-19 01:02 466136 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\documents and settings\Rob\Application Data\pcouffin.sys

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\documents and settings\Rob\Application Data\pcouffin.sys

2010-04-16 23:25 . 2010-04-16 23:22 90112 ----a-w- c:\windows\system32\videoul.tmp

.

((((((((((((((((((((((((((((( SnapShot_2010-06-22_19.23.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-23 05:51 . 2010-06-23 05:51 16384 c:\windows\temp\Perflib_Perfdata_67c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3017FB3E-9A77-4396-88C5-0EC9548FB42F}]

2010-06-16 21:11 2447360 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StacSysTray"="c:\program files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 102400]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

IEEE 802.11g USB Wireless LAN Utility.lnk - c:\program files\Wireless LAN\WLanUtil.exe [2007-11-27 393216]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]

2005-04-05 02:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2007-03-29 22:41 222128 ----a-w- c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-17 17:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]

2009-09-26 07:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 23:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-11-30 06:12 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wben]

2009-06-25 21:30 338456 ----a-w- c:\program files\Starfield\Desktop Notifier\wben.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"c:\\Program Files\\Halo\\halo.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]

S0 efyosqni;efyosqni; [x]

S2 SigService;Sigmatel Service;c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [11/27/2007 8:49 PM 81920]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 11:29 AM 118106]

S3 pnicml;pnicml;\??\c:\docume~1\Rob\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Rob\LOCALS~1\Temp\pnicml.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

IE: &Clean Traces - c:\program files\Download Accelerator Plus\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\Download Accelerator Plus\dapextie.htm

IE: Download &all with DAP - c:\program files\Download Accelerator Plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-22 23:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86ED2EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7605f28

\Driver\ACPI -> ACPI.sys @ 0xf7558cb8

\Driver\atapi -> atapi.sys @ 0xf74cc852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

NDIS: Wireless-G PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7397bb0

PacketIndicateHandler -> NDIS.sys @ 0xf73a4a21

SendHandler -> NDIS.sys @ 0xf738287b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c0,e0,d6,b4,b9,a1,21,c7,f5,b5,bc,c5,9c,55,e8,60,9d,3f,ce,d0,10,24,71,

30,0a,f7,e7,0c,f5,a5,a1,d0,da,3d,75,c8,97,9d,91,8a,77,88,6e,b4,6a,66,9c,b3,\

"??"=hex:59,52,4d,96,40,27,6e,8f,7c,35,3d,81,cd,0f,89,4c

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:c2,1e,91,d7,9c,ef,c0,ad,7f,a9,be,b9,ef,ec,85,23,86,18,f1,f2,41,

6c,29,51,55,a2,cd,23,74,8d,c0,a9,68,0c,02,cf,15,85,69,26,eb,9d,4f,2c,a3,09,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1004)

c:\windows\system32\WININET.dll

.

Completion time: 2010-06-22 23:06:56

ComboFix-quarantined-files.txt 2010-06-23 06:06

ComboFix2.txt 2010-06-23 04:35

ComboFix3.txt 2010-06-22 19:27

ComboFix4.txt 2010-05-12 22:39

Pre-Run: 12,949,643,264 bytes free

Post-Run: 12,929,908,736 bytes free

- - End Of File - - 18242EB936DDE5CF1B6C5CC42B281C51

Link to post
Share on other sites

Hello again,

The recovery console does not help removing the malware; it provides a safety option in case something goes wrong. For now, lets try the following. When done, let me know how things are.

  • Please download TDSSKiller.zip and save it to your desktop.
  • Extract the zip file to your desktop (important, before continuing, make sure the file is located on your desktop, otherwise the following steps will not work!). Do NOT run the file yet!
  • Click Start > Run and copy paste the following bolded text in the run box
    "%userprofile%\desktop\tdsskiller.exe" -l report.txt
  • When it finished press any key to continue.
  • If needed reboot the computer.

A logfile (report.txt) will be created on your desktop. Please post its contents in your next reply.

Link to post
Share on other sites

I followed your steps using TDSSKiller. It appears to have finally gotten rid of the virus that was still hiding in C:\windows\system32\DRIVERS\ACPIEC.sys. (MBAM shows no virus anymore.)

Here is the TDSS report:

14:50:26:421 3428 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

14:50:26:421 3428 ================================================================================

14:50:26:421 3428 SystemInfo:

14:50:26:421 3428 OS Version: 5.1.2600 ServicePack: 3.0

14:50:26:421 3428 Product type: Workstation

14:50:26:421 3428 ComputerName: ROB-CCA219EB460

14:50:26:421 3428 UserName: Rob

14:50:26:421 3428 Windows directory: C:\windows

14:50:26:421 3428 Processor architecture: Intel x86

14:50:26:421 3428 Number of processors: 2

14:50:26:421 3428 Page size: 0x1000

14:50:26:437 3428 Boot type: Normal boot

14:50:26:437 3428 ================================================================================

14:50:26:703 3428 Initialize success

14:50:26:703 3428

14:50:26:703 3428 Scanning Services ...

14:50:27:125 3428 Raw services enum returned 371 services

14:50:27:140 3428

14:50:27:140 3428 Scanning Drivers ...

14:50:27:953 3428 ACPI (8fd99680a539792a30e97944fdaecf17) C:\windows\system32\DRIVERS\ACPI.sys

14:50:27:968 3428 ACPIEC (7900dec32fad1236c0289d8d5df040df) C:\windows\system32\DRIVERS\ACPIEC.sys

14:50:27:968 3428 Suspicious file (Forged): C:\windows\system32\DRIVERS\ACPIEC.sys. Real md5: 7900dec32fad1236c0289d8d5df040df, Fake md5: 9859c0f6936e723e4892d7141b1327d5

14:50:27:968 3428 File "C:\windows\system32\DRIVERS\ACPIEC.sys" infected by TDSS rootkit ... 14:50:28:500 3428 Backup copy found, using it..

14:50:28:515 3428 will be cured on next reboot

14:50:28:578 3428 aec (8bed39e3c35d6a489438b8141717a557) C:\windows\system32\drivers\aec.sys

14:50:28:640 3428 AFD (7e775010ef291da96ad17ca4b17137d7) C:\windows\System32\drivers\afd.sys

14:50:28:734 3428 AgereSoftModem (ec1896777c4096be6274c1e11466015f) C:\windows\system32\DRIVERS\AGRSM.sys

14:50:28:781 3428 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\windows\system32\DRIVERS\agp440.sys

14:50:28:875 3428 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\windows\system32\DRIVERS\arp1394.sys

14:50:28:953 3428 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\windows\system32\DRIVERS\asyncmac.sys

14:50:29:015 3428 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\windows\system32\DRIVERS\atapi.sys

14:50:29:093 3428 ati2mtag (99f6db087497f55d5f8d971f7689f054) C:\windows\system32\DRIVERS\ati2mtag.sys

14:50:29:171 3428 Atmarpc (9916c1225104ba14794209cfa8012159) C:\windows\system32\DRIVERS\atmarpc.sys

14:50:29:203 3428 audstub (d9f724aa26c010a217c97606b160ed68) C:\windows\system32\DRIVERS\audstub.sys

14:50:29:234 3428 BCM43XX (38ca1443660d0f5f06887c6a2e692aeb) C:\windows\system32\DRIVERS\bcmwl5.sys

14:50:29:250 3428 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\windows\system32\drivers\Beep.sys

14:50:29:343 3428 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\windows\system32\drivers\cbidf2k.sys

14:50:29:359 3428 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\windows\system32\DRIVERS\CCDECODE.sys

14:50:29:390 3428 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\windows\system32\drivers\Cdaudio.sys

14:50:29:406 3428 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\windows\system32\drivers\Cdfs.sys

14:50:29:484 3428 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\windows\system32\DRIVERS\cdrom.sys

14:50:29:500 3428 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\windows\system32\drivers\cercsr6.sys

14:50:29:546 3428 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\windows\system32\DRIVERS\CmBatt.sys

14:50:29:609 3428 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\windows\system32\DRIVERS\compbatt.sys

14:50:29:687 3428 Disk (044452051f3e02e7963599fc8f4f3e25) C:\windows\system32\DRIVERS\disk.sys

14:50:29:734 3428 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\windows\system32\DLA\DLABOIOM.SYS

14:50:29:765 3428 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\windows\system32\Drivers\DLACDBHM.SYS

14:50:29:796 3428 DLADResN (83545593e297f50a8e2524b4c071a153) C:\windows\system32\DLA\DLADResN.SYS

14:50:29:796 3428 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\windows\system32\DLA\DLAIFS_M.SYS

14:50:29:812 3428 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\windows\system32\DLA\DLAOPIOM.SYS

14:50:29:828 3428 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\windows\system32\DLA\DLAPoolM.SYS

14:50:29:875 3428 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\windows\system32\Drivers\DLARTL_N.SYS

14:50:29:890 3428 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\windows\system32\DLA\DLAUDFAM.SYS

14:50:29:906 3428 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\windows\system32\DLA\DLAUDF_M.SYS

14:50:29:953 3428 dmboot (d992fe1274bde0f84ad826acae022a41) C:\windows\system32\drivers\dmboot.sys

14:50:30:062 3428 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\windows\system32\drivers\dmio.sys

14:50:30:109 3428 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\windows\system32\drivers\dmload.sys

14:50:30:140 3428 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\windows\system32\drivers\DMusic.sys

14:50:30:156 3428 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\windows\system32\drivers\drmkaud.sys

14:50:30:218 3428 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\windows\system32\Drivers\DRVMCDB.SYS

14:50:30:234 3428 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\windows\system32\Drivers\DRVNDDM.SYS

14:50:30:281 3428 E1000 (de5d0ccce14b774d4de68e44c0d6d980) C:\windows\system32\DRIVERS\e1000325.sys

14:50:30:343 3428 Fastfat (38d332a6d56af32635675f132548343e) C:\windows\system32\drivers\Fastfat.sys

14:50:30:375 3428 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\windows\system32\DRIVERS\fdc.sys

14:50:30:406 3428 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\windows\system32\drivers\Fips.sys

14:50:30:421 3428 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\windows\system32\drivers\Flpydisk.sys

14:50:30:484 3428 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\windows\system32\drivers\fltmgr.sys

14:50:30:500 3428 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\windows\system32\drivers\Fs_Rec.sys

14:50:30:562 3428 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\windows\system32\DRIVERS\ftdisk.sys

14:50:30:578 3428 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys

14:50:30:625 3428 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\windows\system32\DRIVERS\msgpc.sys

14:50:30:640 3428 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\windows\system32\DRIVERS\hidusb.sys

14:50:30:687 3428 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\windows\system32\Drivers\HTTP.sys

14:50:30:750 3428 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\windows\system32\DRIVERS\i8042prt.sys

14:50:30:796 3428 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\windows\system32\DRIVERS\imapi.sys

14:50:30:843 3428 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\windows\system32\DRIVERS\intelide.sys

14:50:30:859 3428 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\windows\system32\DRIVERS\intelppm.sys

14:50:30:906 3428 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\windows\system32\drivers\ip6fw.sys

14:50:30:921 3428 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\windows\system32\DRIVERS\ipfltdrv.sys

14:50:30:937 3428 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\windows\system32\DRIVERS\ipinip.sys

14:50:30:984 3428 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\windows\system32\DRIVERS\ipnat.sys

14:50:31:015 3428 IPSec (23c74d75e36e7158768dd63d92789a91) C:\windows\system32\DRIVERS\ipsec.sys

14:50:31:046 3428 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\windows\system32\DRIVERS\irenum.sys

14:50:31:093 3428 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\windows\system32\DRIVERS\isapnp.sys

14:50:31:125 3428 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\windows\system32\DRIVERS\kbdclass.sys

14:50:31:171 3428 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\windows\system32\drivers\klmd.sys

14:50:31:203 3428 kmixer (692bcf44383d056aed41b045a323d378) C:\windows\system32\drivers\kmixer.sys

14:50:31:218 3428 KSecDD (b467646c54cc746128904e1654c750c1) C:\windows\system32\drivers\KSecDD.sys

14:50:31:234 3428 L8042pr2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\windows\system32\DRIVERS\L8042pr2.Sys

14:50:31:265 3428 LHidFlt2 (3c357dfdbbf2b4b01aa4b9c8a26e4416) C:\windows\system32\DRIVERS\LHidFlt2.Sys

14:50:31:296 3428 LHidUsb (ffb851b1b2f6596b7d3182b977a85206) C:\windows\system32\Drivers\LHidUsb.Sys

14:50:31:312 3428 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\windows\system32\DRIVERS\LMouFlt2.Sys

14:50:31:328 3428 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\windows\system32\DRIVERS\mcdbus.sys

14:50:31:343 3428 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\windows\system32\drivers\mnmdd.sys

14:50:31:375 3428 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\windows\system32\drivers\Modem.sys

14:50:31:421 3428 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\windows\system32\DRIVERS\mouclass.sys

14:50:31:437 3428 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\windows\system32\DRIVERS\mouhid.sys

14:50:31:468 3428 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\windows\system32\drivers\MountMgr.sys

14:50:31:484 3428 MR97310_VGA_DUAL_CAMERA (15a7769df62938c56318ed8f95376001) C:\windows\system32\DRIVERS\mr97310v.sys

14:50:31:515 3428 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\windows\system32\DRIVERS\mrxdav.sys

14:50:31:609 3428 MRxSmb (f3aefb11abc521122b67095044169e98) C:\windows\system32\DRIVERS\mrxsmb.sys

14:50:31:656 3428 Msfs (c941ea2454ba8350021d774daf0f1027) C:\windows\system32\drivers\Msfs.sys

14:50:31:687 3428 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\windows\system32\drivers\MSKSSRV.sys

14:50:31:703 3428 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\windows\system32\drivers\MSPCLOCK.sys

14:50:31:718 3428 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\windows\system32\drivers\MSPQM.sys

14:50:31:750 3428 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\windows\system32\DRIVERS\mssmbios.sys

14:50:31:781 3428 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\windows\system32\drivers\MSTEE.sys

14:50:31:796 3428 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\windows\system32\drivers\Mup.sys

14:50:31:828 3428 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\windows\system32\DRIVERS\NABTSFEC.sys

14:50:31:875 3428 NDIS (1df7f42665c94b825322fae71721130d) C:\windows\system32\drivers\NDIS.sys

14:50:31:890 3428 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\windows\system32\DRIVERS\NdisIP.sys

14:50:31:921 3428 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\windows\system32\DRIVERS\ndistapi.sys

14:50:31:953 3428 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\windows\system32\DRIVERS\ndisuio.sys

14:50:31:968 3428 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\windows\system32\DRIVERS\ndiswan.sys

14:50:31:984 3428 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\windows\system32\drivers\NDProxy.sys

14:50:32:046 3428 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\windows\system32\DRIVERS\netbios.sys

14:50:32:125 3428 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\windows\system32\DRIVERS\netbt.sys

14:50:32:156 3428 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\windows\system32\DRIVERS\nic1394.sys

14:50:32:187 3428 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\windows\system32\drivers\Npfs.sys

14:50:32:218 3428 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\windows\system32\drivers\Ntfs.sys

14:50:32:250 3428 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\windows\system32\drivers\Null.sys

14:50:32:281 3428 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\windows\system32\DRIVERS\nwlnkflt.sys

14:50:32:312 3428 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\windows\system32\DRIVERS\nwlnkfwd.sys

14:50:32:390 3428 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\windows\system32\DRIVERS\ohci1394.sys

14:50:32:421 3428 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\windows\system32\DRIVERS\parport.sys

14:50:32:437 3428 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\windows\system32\drivers\PartMgr.sys

14:50:32:468 3428 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\windows\system32\drivers\ParVdm.sys

14:50:32:515 3428 PCI (a219903ccf74233761d92bef471a07b1) C:\windows\system32\DRIVERS\pci.sys

14:50:32:562 3428 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\windows\system32\DRIVERS\pciide.sys

14:50:32:640 3428 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\windows\system32\DRIVERS\pcmcia.sys

14:50:32:687 3428 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\windows\system32\Drivers\pcouffin.sys

14:50:32:796 3428 PLSCSI (0876a00be67460b732ba57d1530fd1c9) C:\windows\system32\DRIVERS\sci0pl.sys

14:50:32:875 3428 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\windows\system32\DRIVERS\raspptp.sys

14:50:32:906 3428 PSched (09298ec810b07e5d582cb3a3f9255424) C:\windows\system32\DRIVERS\psched.sys

14:50:32:921 3428 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\windows\system32\DRIVERS\ptilink.sys

14:50:32:968 3428 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\windows\system32\Drivers\PxHelp20.sys

14:50:33:062 3428 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\windows\system32\DRIVERS\rasacd.sys

14:50:33:093 3428 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\windows\system32\DRIVERS\rasl2tp.sys

14:50:33:109 3428 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\windows\system32\DRIVERS\raspppoe.sys

14:50:33:125 3428 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\windows\system32\DRIVERS\raspti.sys

14:50:33:187 3428 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\windows\system32\DRIVERS\rdbss.sys

14:50:33:234 3428 RDPCDD (4912d5b403614ce99c28420f75353332) C:\windows\system32\DRIVERS\RDPCDD.sys

14:50:33:265 3428 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\windows\system32\DRIVERS\rdpdr.sys

14:50:33:296 3428 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\windows\system32\drivers\RDPWD.sys

14:50:33:375 3428 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\windows\system32\DRIVERS\redbook.sys

14:50:33:406 3428 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\windows\system32\Drivers\RimUsb.sys

14:50:33:437 3428 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\windows\system32\DRIVERS\RimSerial.sys

14:50:33:468 3428 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\windows\system32\Drivers\RootMdm.sys

14:50:33:484 3428 SCDEmu (612a3d69e603dbbe5c3c1079186a0393) C:\windows\system32\drivers\SCDEmu.sys

14:50:33:515 3428 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\DRIVERS\secdrv.sys

14:50:33:593 3428 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\windows\system32\drivers\Serial.sys

14:50:33:703 3428 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\windows\system32\drivers\Sfloppy.sys

14:50:34:093 3428 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\windows\system32\DRIVERS\SLIP.sys

14:50:34:359 3428 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\windows\system32\DRIVERS\SONYPVU1.SYS

14:50:34:468 3428 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\windows\system32\drivers\splitter.sys

14:50:34:531 3428 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\windows\system32\DRIVERS\sr.sys

14:50:34:578 3428 Srv (89220b427890aa1dffd1a02648ae51c3) C:\windows\system32\DRIVERS\srv.sys

14:50:34:640 3428 STAC97 (a334facf4302f406d260a4051e583132) C:\windows\system32\drivers\STAC97.sys

14:50:34:671 3428 streamip (77813007ba6265c4b6098187e6ed79d2) C:\windows\system32\DRIVERS\StreamIP.sys

14:50:34:687 3428 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\windows\system32\DRIVERS\swenum.sys

14:50:34:703 3428 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\windows\system32\drivers\swmidi.sys

14:50:34:781 3428 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\windows\system32\drivers\sysaudio.sys

14:50:34:875 3428 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\windows\system32\DRIVERS\tcpip.sys

14:50:34:890 3428 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\windows\system32\drivers\TDPIPE.sys

14:50:34:937 3428 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\windows\system32\drivers\TDTCP.sys

14:50:34:968 3428 TermDD (88155247177638048422893737429d9e) C:\windows\system32\DRIVERS\termdd.sys

14:50:35:031 3428 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\windows\system32\drivers\Udfs.sys

14:50:35:078 3428 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\windows\system32\DRIVERS\update.sys

14:50:35:109 3428 USBAtapi2000 (59d65b6b73ad9f721f67f4e0d03b3bce) C:\windows\system32\DRIVERS\sci1pl.sys

14:50:35:140 3428 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\windows\system32\DRIVERS\usbccgp.sys

14:50:35:171 3428 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\windows\system32\DRIVERS\usbehci.sys

14:50:35:187 3428 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\windows\system32\DRIVERS\usbhub.sys

14:50:35:218 3428 usbprint (a717c8721046828520c9edf31288fc00) C:\windows\system32\DRIVERS\usbprint.sys

14:50:35:250 3428 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\windows\system32\DRIVERS\usbscan.sys

14:50:35:281 3428 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\windows\system32\DRIVERS\USBSTOR.SYS

14:50:35:312 3428 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\windows\system32\DRIVERS\usbuhci.sys

14:50:35:359 3428 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\windows\System32\drivers\vga.sys

14:50:35:406 3428 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\windows\system32\drivers\VolSnap.sys

14:50:35:437 3428 vsdatant (3fd658863f4a9c8c9d93751183a294aa) C:\windows\system32\vsdatant.sys

14:50:35:453 3428 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\windows\system32\DRIVERS\wanarp.sys

14:50:35:500 3428 wdmaud (6768acf64b18196494413695f0c3a00f) C:\windows\system32\drivers\wdmaud.sys

14:50:35:531 3428 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\windows\system32\DRIVERS\wpdusb.sys

14:50:35:546 3428 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\windows\system32\DRIVERS\WSTCODEC.SYS

14:50:35:609 3428 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\windows\system32\DRIVERS\WudfPf.sys

14:50:35:640 3428 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\windows\system32\DRIVERS\wudfrd.sys

14:50:35:640 3428 Reboot required for cure complete..

14:50:35:984 3428 Cure on reboot scheduled successfully

14:50:35:984 3428

14:50:35:984 3428 Completed

14:50:35:984 3428

14:50:35:984 3428 Results:

14:50:35:984 3428 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

14:50:35:984 3428 File objects infected / cured / cured on reboot: 1 / 0 / 1

14:50:35:984 3428

14:50:35:984 3428 KLMD(ARK) unloaded successfully

If you think it has been removed, can I not use Defogger to enable my CD Emulator Drivers that I disabled earlier?

Also, may I load Avira Antivirus now?

Is it true that the PRO version of MBAM would have prevented this virus from even loading in the first place?

Thank you very much for your assistance as I didn't really want to wipe my entire hard drive. However, I may do that in the near future if I can get all my programs again.

Link to post
Share on other sites

I followed your steps using TDSSKiller. It appears to have finally gotten rid of the virus that was still hiding in C:\windows\system32\DRIVERS\ACPIEC.sys. (MBAM shows no virus anymore.)

Here is the TDSS report:

14:50:26:421 3428 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

14:50:26:421 3428 ================================================================================

14:50:26:421 3428 SystemInfo:

14:50:26:421 3428 OS Version: 5.1.2600 ServicePack: 3.0

14:50:26:421 3428 Product type: Workstation

14:50:26:421 3428 ComputerName: ROB-CCA219EB460

14:50:26:421 3428 UserName: Rob

14:50:26:421 3428 Windows directory: C:\windows

14:50:26:421 3428 Processor architecture: Intel x86

14:50:26:421 3428 Number of processors: 2

14:50:26:421 3428 Page size: 0x1000

14:50:26:437 3428 Boot type: Normal boot

14:50:26:437 3428 ================================================================================

14:50:26:703 3428 Initialize success

14:50:26:703 3428

14:50:26:703 3428 Scanning Services ...

14:50:27:125 3428 Raw services enum returned 371 services

14:50:27:140 3428

14:50:27:140 3428 Scanning Drivers ...

14:50:27:953 3428 ACPI (8fd99680a539792a30e97944fdaecf17) C:\windows\system32\DRIVERS\ACPI.sys

14:50:27:968 3428 ACPIEC (7900dec32fad1236c0289d8d5df040df) C:\windows\system32\DRIVERS\ACPIEC.sys

14:50:27:968 3428 Suspicious file (Forged): C:\windows\system32\DRIVERS\ACPIEC.sys. Real md5: 7900dec32fad1236c0289d8d5df040df, Fake md5: 9859c0f6936e723e4892d7141b1327d5

14:50:27:968 3428 File "C:\windows\system32\DRIVERS\ACPIEC.sys" infected by TDSS rootkit ... 14:50:28:500 3428 Backup copy found, using it..

14:50:28:515 3428 will be cured on next reboot

14:50:28:578 3428 aec (8bed39e3c35d6a489438b8141717a557) C:\windows\system32\drivers\aec.sys

14:50:28:640 3428 AFD (7e775010ef291da96ad17ca4b17137d7) C:\windows\System32\drivers\afd.sys

14:50:28:734 3428 AgereSoftModem (ec1896777c4096be6274c1e11466015f) C:\windows\system32\DRIVERS\AGRSM.sys

14:50:28:781 3428 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\windows\system32\DRIVERS\agp440.sys

14:50:28:875 3428 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\windows\system32\DRIVERS\arp1394.sys

14:50:28:953 3428 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\windows\system32\DRIVERS\asyncmac.sys

14:50:29:015 3428 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\windows\system32\DRIVERS\atapi.sys

14:50:29:093 3428 ati2mtag (99f6db087497f55d5f8d971f7689f054) C:\windows\system32\DRIVERS\ati2mtag.sys

14:50:29:171 3428 Atmarpc (9916c1225104ba14794209cfa8012159) C:\windows\system32\DRIVERS\atmarpc.sys

14:50:29:203 3428 audstub (d9f724aa26c010a217c97606b160ed68) C:\windows\system32\DRIVERS\audstub.sys

14:50:29:234 3428 BCM43XX (38ca1443660d0f5f06887c6a2e692aeb) C:\windows\system32\DRIVERS\bcmwl5.sys

14:50:29:250 3428 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\windows\system32\drivers\Beep.sys

14:50:29:343 3428 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\windows\system32\drivers\cbidf2k.sys

14:50:29:359 3428 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\windows\system32\DRIVERS\CCDECODE.sys

14:50:29:390 3428 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\windows\system32\drivers\Cdaudio.sys

14:50:29:406 3428 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\windows\system32\drivers\Cdfs.sys

14:50:29:484 3428 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\windows\system32\DRIVERS\cdrom.sys

14:50:29:500 3428 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\windows\system32\drivers\cercsr6.sys

14:50:29:546 3428 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\windows\system32\DRIVERS\CmBatt.sys

14:50:29:609 3428 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\windows\system32\DRIVERS\compbatt.sys

14:50:29:687 3428 Disk (044452051f3e02e7963599fc8f4f3e25) C:\windows\system32\DRIVERS\disk.sys

14:50:29:734 3428 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\windows\system32\DLA\DLABOIOM.SYS

14:50:29:765 3428 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\windows\system32\Drivers\DLACDBHM.SYS

14:50:29:796 3428 DLADResN (83545593e297f50a8e2524b4c071a153) C:\windows\system32\DLA\DLADResN.SYS

14:50:29:796 3428 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\windows\system32\DLA\DLAIFS_M.SYS

14:50:29:812 3428 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\windows\system32\DLA\DLAOPIOM.SYS

14:50:29:828 3428 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\windows\system32\DLA\DLAPoolM.SYS

14:50:29:875 3428 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\windows\system32\Drivers\DLARTL_N.SYS

14:50:29:890 3428 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\windows\system32\DLA\DLAUDFAM.SYS

14:50:29:906 3428 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\windows\system32\DLA\DLAUDF_M.SYS

14:50:29:953 3428 dmboot (d992fe1274bde0f84ad826acae022a41) C:\windows\system32\drivers\dmboot.sys

14:50:30:062 3428 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\windows\system32\drivers\dmio.sys

14:50:30:109 3428 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\windows\system32\drivers\dmload.sys

14:50:30:140 3428 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\windows\system32\drivers\DMusic.sys

14:50:30:156 3428 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\windows\system32\drivers\drmkaud.sys

14:50:30:218 3428 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\windows\system32\Drivers\DRVMCDB.SYS

14:50:30:234 3428 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\windows\system32\Drivers\DRVNDDM.SYS

14:50:30:281 3428 E1000 (de5d0ccce14b774d4de68e44c0d6d980) C:\windows\system32\DRIVERS\e1000325.sys

14:50:30:343 3428 Fastfat (38d332a6d56af32635675f132548343e) C:\windows\system32\drivers\Fastfat.sys

14:50:30:375 3428 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\windows\system32\DRIVERS\fdc.sys

14:50:30:406 3428 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\windows\system32\drivers\Fips.sys

14:50:30:421 3428 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\windows\system32\drivers\Flpydisk.sys

14:50:30:484 3428 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\windows\system32\drivers\fltmgr.sys

14:50:30:500 3428 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\windows\system32\drivers\Fs_Rec.sys

14:50:30:562 3428 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\windows\system32\DRIVERS\ftdisk.sys

14:50:30:578 3428 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys

14:50:30:625 3428 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\windows\system32\DRIVERS\msgpc.sys

14:50:30:640 3428 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\windows\system32\DRIVERS\hidusb.sys

14:50:30:687 3428 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\windows\system32\Drivers\HTTP.sys

14:50:30:750 3428 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\windows\system32\DRIVERS\i8042prt.sys

14:50:30:796 3428 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\windows\system32\DRIVERS\imapi.sys

14:50:30:843 3428 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\windows\system32\DRIVERS\intelide.sys

14:50:30:859 3428 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\windows\system32\DRIVERS\intelppm.sys

14:50:30:906 3428 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\windows\system32\drivers\ip6fw.sys

14:50:30:921 3428 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\windows\system32\DRIVERS\ipfltdrv.sys

14:50:30:937 3428 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\windows\system32\DRIVERS\ipinip.sys

14:50:30:984 3428 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\windows\system32\DRIVERS\ipnat.sys

14:50:31:015 3428 IPSec (23c74d75e36e7158768dd63d92789a91) C:\windows\system32\DRIVERS\ipsec.sys

14:50:31:046 3428 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\windows\system32\DRIVERS\irenum.sys

14:50:31:093 3428 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\windows\system32\DRIVERS\isapnp.sys

14:50:31:125 3428 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\windows\system32\DRIVERS\kbdclass.sys

14:50:31:171 3428 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\windows\system32\drivers\klmd.sys

14:50:31:203 3428 kmixer (692bcf44383d056aed41b045a323d378) C:\windows\system32\drivers\kmixer.sys

14:50:31:218 3428 KSecDD (b467646c54cc746128904e1654c750c1) C:\windows\system32\drivers\KSecDD.sys

14:50:31:234 3428 L8042pr2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\windows\system32\DRIVERS\L8042pr2.Sys

14:50:31:265 3428 LHidFlt2 (3c357dfdbbf2b4b01aa4b9c8a26e4416) C:\windows\system32\DRIVERS\LHidFlt2.Sys

14:50:31:296 3428 LHidUsb (ffb851b1b2f6596b7d3182b977a85206) C:\windows\system32\Drivers\LHidUsb.Sys

14:50:31:312 3428 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\windows\system32\DRIVERS\LMouFlt2.Sys

14:50:31:328 3428 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\windows\system32\DRIVERS\mcdbus.sys

14:50:31:343 3428 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\windows\system32\drivers\mnmdd.sys

14:50:31:375 3428 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\windows\system32\drivers\Modem.sys

14:50:31:421 3428 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\windows\system32\DRIVERS\mouclass.sys

14:50:31:437 3428 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\windows\system32\DRIVERS\mouhid.sys

14:50:31:468 3428 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\windows\system32\drivers\MountMgr.sys

14:50:31:484 3428 MR97310_VGA_DUAL_CAMERA (15a7769df62938c56318ed8f95376001) C:\windows\system32\DRIVERS\mr97310v.sys

14:50:31:515 3428 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\windows\system32\DRIVERS\mrxdav.sys

14:50:31:609 3428 MRxSmb (f3aefb11abc521122b67095044169e98) C:\windows\system32\DRIVERS\mrxsmb.sys

14:50:31:656 3428 Msfs (c941ea2454ba8350021d774daf0f1027) C:\windows\system32\drivers\Msfs.sys

14:50:31:687 3428 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\windows\system32\drivers\MSKSSRV.sys

14:50:31:703 3428 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\windows\system32\drivers\MSPCLOCK.sys

14:50:31:718 3428 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\windows\system32\drivers\MSPQM.sys

14:50:31:750 3428 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\windows\system32\DRIVERS\mssmbios.sys

14:50:31:781 3428 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\windows\system32\drivers\MSTEE.sys

14:50:31:796 3428 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\windows\system32\drivers\Mup.sys

14:50:31:828 3428 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\windows\system32\DRIVERS\NABTSFEC.sys

14:50:31:875 3428 NDIS (1df7f42665c94b825322fae71721130d) C:\windows\system32\drivers\NDIS.sys

14:50:31:890 3428 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\windows\system32\DRIVERS\NdisIP.sys

14:50:31:921 3428 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\windows\system32\DRIVERS\ndistapi.sys

14:50:31:953 3428 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\windows\system32\DRIVERS\ndisuio.sys

14:50:31:968 3428 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\windows\system32\DRIVERS\ndiswan.sys

14:50:31:984 3428 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\windows\system32\drivers\NDProxy.sys

14:50:32:046 3428 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\windows\system32\DRIVERS\netbios.sys

14:50:32:125 3428 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\windows\system32\DRIVERS\netbt.sys

14:50:32:156 3428 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\windows\system32\DRIVERS\nic1394.sys

14:50:32:187 3428 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\windows\system32\drivers\Npfs.sys

14:50:32:218 3428 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\windows\system32\drivers\Ntfs.sys

14:50:32:250 3428 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\windows\system32\drivers\Null.sys

14:50:32:281 3428 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\windows\system32\DRIVERS\nwlnkflt.sys

14:50:32:312 3428 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\windows\system32\DRIVERS\nwlnkfwd.sys

14:50:32:390 3428 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\windows\system32\DRIVERS\ohci1394.sys

14:50:32:421 3428 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\windows\system32\DRIVERS\parport.sys

14:50:32:437 3428 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\windows\system32\drivers\PartMgr.sys

14:50:32:468 3428 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\windows\system32\drivers\ParVdm.sys

14:50:32:515 3428 PCI (a219903ccf74233761d92bef471a07b1) C:\windows\system32\DRIVERS\pci.sys

14:50:32:562 3428 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\windows\system32\DRIVERS\pciide.sys

14:50:32:640 3428 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\windows\system32\DRIVERS\pcmcia.sys

14:50:32:687 3428 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\windows\system32\Drivers\pcouffin.sys

14:50:32:796 3428 PLSCSI (0876a00be67460b732ba57d1530fd1c9) C:\windows\system32\DRIVERS\sci0pl.sys

14:50:32:875 3428 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\windows\system32\DRIVERS\raspptp.sys

14:50:32:906 3428 PSched (09298ec810b07e5d582cb3a3f9255424) C:\windows\system32\DRIVERS\psched.sys

14:50:32:921 3428 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\windows\system32\DRIVERS\ptilink.sys

14:50:32:968 3428 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\windows\system32\Drivers\PxHelp20.sys

14:50:33:062 3428 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\windows\system32\DRIVERS\rasacd.sys

14:50:33:093 3428 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\windows\system32\DRIVERS\rasl2tp.sys

14:50:33:109 3428 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\windows\system32\DRIVERS\raspppoe.sys

14:50:33:125 3428 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\windows\system32\DRIVERS\raspti.sys

14:50:33:187 3428 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\windows\system32\DRIVERS\rdbss.sys

14:50:33:234 3428 RDPCDD (4912d5b403614ce99c28420f75353332) C:\windows\system32\DRIVERS\RDPCDD.sys

14:50:33:265 3428 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\windows\system32\DRIVERS\rdpdr.sys

14:50:33:296 3428 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\windows\system32\drivers\RDPWD.sys

14:50:33:375 3428 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\windows\system32\DRIVERS\redbook.sys

14:50:33:406 3428 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\windows\system32\Drivers\RimUsb.sys

14:50:33:437 3428 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\windows\system32\DRIVERS\RimSerial.sys

14:50:33:468 3428 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\windows\system32\Drivers\RootMdm.sys

14:50:33:484 3428 SCDEmu (612a3d69e603dbbe5c3c1079186a0393) C:\windows\system32\drivers\SCDEmu.sys

14:50:33:515 3428 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\DRIVERS\secdrv.sys

14:50:33:593 3428 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\windows\system32\drivers\Serial.sys

14:50:33:703 3428 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\windows\system32\drivers\Sfloppy.sys

14:50:34:093 3428 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\windows\system32\DRIVERS\SLIP.sys

14:50:34:359 3428 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\windows\system32\DRIVERS\SONYPVU1.SYS

14:50:34:468 3428 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\windows\system32\drivers\splitter.sys

14:50:34:531 3428 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\windows\system32\DRIVERS\sr.sys

14:50:34:578 3428 Srv (89220b427890aa1dffd1a02648ae51c3) C:\windows\system32\DRIVERS\srv.sys

14:50:34:640 3428 STAC97 (a334facf4302f406d260a4051e583132) C:\windows\system32\drivers\STAC97.sys

14:50:34:671 3428 streamip (77813007ba6265c4b6098187e6ed79d2) C:\windows\system32\DRIVERS\StreamIP.sys

14:50:34:687 3428 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\windows\system32\DRIVERS\swenum.sys

14:50:34:703 3428 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\windows\system32\drivers\swmidi.sys

14:50:34:781 3428 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\windows\system32\drivers\sysaudio.sys

14:50:34:875 3428 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\windows\system32\DRIVERS\tcpip.sys

14:50:34:890 3428 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\windows\system32\drivers\TDPIPE.sys

14:50:34:937 3428 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\windows\system32\drivers\TDTCP.sys

14:50:34:968 3428 TermDD (88155247177638048422893737429d9e) C:\windows\system32\DRIVERS\termdd.sys

14:50:35:031 3428 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\windows\system32\drivers\Udfs.sys

14:50:35:078 3428 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\windows\system32\DRIVERS\update.sys

14:50:35:109 3428 USBAtapi2000 (59d65b6b73ad9f721f67f4e0d03b3bce) C:\windows\system32\DRIVERS\sci1pl.sys

14:50:35:140 3428 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\windows\system32\DRIVERS\usbccgp.sys

14:50:35:171 3428 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\windows\system32\DRIVERS\usbehci.sys

14:50:35:187 3428 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\windows\system32\DRIVERS\usbhub.sys

14:50:35:218 3428 usbprint (a717c8721046828520c9edf31288fc00) C:\windows\system32\DRIVERS\usbprint.sys

14:50:35:250 3428 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\windows\system32\DRIVERS\usbscan.sys

14:50:35:281 3428 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\windows\system32\DRIVERS\USBSTOR.SYS

14:50:35:312 3428 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\windows\system32\DRIVERS\usbuhci.sys

14:50:35:359 3428 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\windows\System32\drivers\vga.sys

14:50:35:406 3428 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\windows\system32\drivers\VolSnap.sys

14:50:35:437 3428 vsdatant (3fd658863f4a9c8c9d93751183a294aa) C:\windows\system32\vsdatant.sys

14:50:35:453 3428 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\windows\system32\DRIVERS\wanarp.sys

14:50:35:500 3428 wdmaud (6768acf64b18196494413695f0c3a00f) C:\windows\system32\drivers\wdmaud.sys

14:50:35:531 3428 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\windows\system32\DRIVERS\wpdusb.sys

14:50:35:546 3428 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\windows\system32\DRIVERS\WSTCODEC.SYS

14:50:35:609 3428 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\windows\system32\DRIVERS\WudfPf.sys

14:50:35:640 3428 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\windows\system32\DRIVERS\wudfrd.sys

14:50:35:640 3428 Reboot required for cure complete..

14:50:35:984 3428 Cure on reboot scheduled successfully

14:50:35:984 3428

14:50:35:984 3428 Completed

14:50:35:984 3428

14:50:35:984 3428 Results:

14:50:35:984 3428 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

14:50:35:984 3428 File objects infected / cured / cured on reboot: 1 / 0 / 1

14:50:35:984 3428

14:50:35:984 3428 KLMD(ARK) unloaded successfully

If you think it has been removed, can I not use Defogger to enable my CD Emulator Drivers that I disabled earlier?

Also, may I load Avira Antivirus now?

Is it true that the PRO version of MBAM would have prevented this virus from even loading in the first place?

Thank you very much for your assistance as I didn't really want to wipe my entire hard drive. However, I may do that in the near future if I can get all my programs again.

Link to post
Share on other sites

Hello there, good to hear things are fine now :P

Yes, you can now enable CD emulators and turn on Avira.

Since the PRO version of MBAM has an active IP shield, it might have prevented this infection, however it is very difficult to say. Its very important to have adequate protection, but its just as important to use the internet wisely.

Could you please do a scan with Avira and let me know what was found (if anything)?

Also, please let me know if you have any problems left.

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Link to post
Share on other sites

Hi, Elise.

I am having trouble removing the older versions of Java. When I try to uninstall using the Add/Remove Programs, it shows up, but then when I click uninstall, I get an error message stating that it cannot locate the file in C:\...\Application Data\Sun\Java\. I clicked "Show Hidden Folders" and see that the location is, in fact, correct.

Could this have anything to do with the fact that I had to install a new hard drive about 2 weeks ago and am now functioning on a cloned drive?

Thanks again for your assistance.

I have not installed or updated anything as I want to get this step done properly first.

Awaiting further instructions...

Link to post
Share on other sites

To give you further info, the folders contained at C:\...\Sun\Java are:

Deployment

jre1.6.0_10

jre1.6.0_11

jre1.6.0_13

jre1.6.0_14

jre1.6.0_15

jre1.6.0_18

All the jre folders only contain is one dll file named "lzma" with two exceptions. The jre1.6.0_14 folder contains the Windows Installer Package "jre1.6.0_14-pfrom13" and "sp1033.mst". The jre1.6.0_18 folder only contains one OpenOffice banner jpg.

Also, the only Java program that shows up in my list of programs to Add/Remove is JAVA 6 Update 15. I tried searching my computer for the java .msi file it was trying to detect for removal of JAVA 6 Update 15 and found nothing.

Can the older versions of Java be removed using the JAVA button in my Control Panel?

Link to post
Share on other sites

Elise,

Let me preface this entry by stating that I understand responsible use of the internet and take necessary precautions. I have a degree in Mathematics and had some programming classes - COBOL and Fortran. I would say that I have a better-than-average understanding of computers and programming. Yes, I read through the logs before I post them. And no, I don't necessarily know what to look for. : )

Now... I was on the FIFA.com website this afternoon (thinking that you would not be able to repsond to my post until later today), saw a JAVA 2" x 3" install-looking window pop up (I did nothing) and then (not having installed Avira yet, of course... or the PRO version of Malwarebytes... yet) the same *&^%-ing AV Sec Suite virus popped up again! I believe that my outdated JAVA is allowing my computer to be exploited. I am pretty good about keeping my programs updated.

I immediately shut down explorer, disabled my connection, and re-opened an internet page without connecting. I then did the first step recommended before by bleepingcomputer.com and unchecked the LAN proxy server settings that this virus changes.

Step #2: Ran rkill = stopped 2 files

Step #3: Ran MBAM = 8 infections

Step #4: Ran rkill again - nothing to stop but my open folder

Step #5: Ran MBAM again = 0 infections

Step #6: Ran OTL - it only produced one log, no "extras" log

Step #7: Ran GMER with IAT/EAT and Show All unchecked.

After starting the GMER scan, I came back to my computer about an hour later and found the BLUE screen up with the following message:

"Windows was shut down... The was caused by the following file: fglyqkow.sys -- ADDRESS b75a5fa6 BASE AT b759a000, DATE STAMP 4b274f8d

I did re-boot and started running GMER again. Another hour or so later, checked on it again. I was unable to tell if GMER was finished as my computer had locked up so I was not able to get that report. I just shut my computer down again (using the power button) and am posting the reports/logs I had already copied onto a flash drive earlier. I am using a friend's computer to post these.

I have the logs posted below. However, should you not be up to helping me out again, I would understand. I am seriously considering the "driveway and my truck" option a friend suggested.

This is the second rkill log. I guess I did't get the first run-through log copied over. I can look if it is absolutely necessary and hope that it wasn't already written over by the second run-through. I believe that it killed 2 files that were associated with AV.

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Rob on 06/26/2010 at 13:31:19.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Rob\Desktop\AV Sec Ste Virus Fixes\rkill.com [folder where I had moved all the logs and programs that I had downloaded earlier to fix this virus]

Rkill completed on 06/26/2010 at 13:31:21.

First MBAM Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/26/2010 1:21:07 PM

mbam-log-2010-06-26 (13-21-07).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|U:\|)

Objects scanned: 237769

Time elapsed: 50 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqrnpwbg (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqrnpwbg (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Rob\Local Settings\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Rob\Local Settings\Application Data\bvftnpqgj\irgsgnetssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Second MBAM Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/26/2010 2:22:16 PM

mbam-log-2010-06-26 (14-22-16).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|U:\|)

Objects scanned: 237525

Time elapsed: 48 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

OTL Log:

OTL logfile created on: 6/26/2010 2:26:45 PM - Run 2

OTL by OldTimer - Version 3.2.6.1 Folder = C:\Documents and Settings\Rob\Desktop\AV Sec Ste Virus Fixes

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 559.00 Mb Available Physical Memory | 55.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 12.48 Gb Free Space | 16.75% Space Free | Partition Type: NTFS

Drive D: | 2.54 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ROB-CCA219EB460

Current User Name: Rob

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/21 11:40:06 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\AV Sec Ste Virus Fixes\OTL.exe

PRC - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2005/04/04 19:58:30 | 003,502,080 | ---- | M] () -- C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

PRC - [2005/04/04 19:58:30 | 000,856,064 | ---- | M] (Adobe Sytems Incorporated) -- C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

PRC - [2005/04/04 19:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

PRC - [2004/06/17 17:14:10 | 000,393,216 | ---- | M] () -- C:\Program Files\Wireless LAN\WLanUtil.exe

PRC - [2004/04/29 15:16:38 | 000,102,400 | ---- | M] (Sigmatel) -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\stacsystray.exe

PRC - [2004/04/29 15:15:10 | 000,081,920 | ---- | M] () -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe

PRC - [2004/04/29 15:11:52 | 000,815,174 | ---- | M] () -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\stacsrv.exe

========== Modules (SafeList) ==========

MOD - [2010/06/21 11:40:06 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rob\Desktop\AV Sec Ste Virus Fixes\OTL.exe

MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®

SRV - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)

SRV - [2005/04/04 19:58:28 | 000,163,840 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2)

SRV - [2004/07/14 06:09:36 | 000,918,792 | ---- | M] (Zone Labs Inc.) [On_Demand | Stopped] -- C:\windows\System32\ZoneLabs\vsmon.exe -- (vsmon)

SRV - [2004/04/29 15:15:10 | 000,081,920 | ---- | M] () [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe -- (SigService)

========== Driver Services (SafeList) ==========

DRV - [2010/06/26 12:11:50 | 000,052,432 | ---- | M] (Kaspersky Lab, SLA) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\klmd.sys -- (klmd23)

DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)

DRV - [2007/08/06 17:15:07 | 000,033,052 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)

DRV - [2005/09/12 04:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\windows\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)

DRV - [2005/09/08 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2005/09/08 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2005/09/08 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2005/09/08 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2005/09/08 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2005/09/08 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2005/09/08 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)

DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)

DRV - [2005/08/12 06:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2005/08/09 22:35:42 | 001,273,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2004/12/22 02:32:12 | 000,369,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2004/07/14 06:09:22 | 000,270,672 | ---- | M] (Zone Labs Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)

DRV - [2004/04/15 09:18:34 | 000,262,128 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)

DRV - [2004/03/30 11:29:36 | 000,118,106 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr97310v.sys -- (MR97310_VGA_DUAL_CAMERA)

DRV - [2003/12/17 10:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)

DRV - [2003/12/17 10:50:00 | 000,051,729 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042pr2.Sys -- (L8042pr2)

DRV - [2003/12/17 10:50:00 | 000,037,887 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidUsb.sys -- (LHidUsb)

DRV - [2003/12/17 10:50:00 | 000,025,505 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFlt2.Sys -- (LHidFlt2)

DRV - [2003/11/26 02:31:26 | 001,205,418 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)

DRV - [2000/12/12 16:45:52 | 000,008,679 | ---- | M] ( ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SCI0PL.SYS -- (PLSCSI)

DRV - [2000/12/12 16:41:54 | 000,021,510 | ---- | M] ( ) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\SCI1PL.SYS -- (USBAtapi2000)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1644491937-562591055-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKU\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-1644491937-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

O1 HOSTS File: ([2010/06/23 14:39:50 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (SBCONVERT Class) - {3017FB3E-9A77-4396-88C5-0EC9548FB42F} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll ()

O2 - BHO: (SearchPredictObj Class) - {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - C:\Program Files\SearchPredict\SearchPredict.dll (Speedbit Ltd.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)

O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)

O2 - BHO: (DAPIELoader Class) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Download Accelerator Plus\dapieloader.dll (SpeedBit Ltd.)

O2 - BHO: (GrabberObj Class) - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\SpeedBit Video Downloader\Toolbar\Grabber.dll (Speedbit Ltd.)

O3 - HKLM\..\Toolbar: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll ()

O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\..\Toolbar\WebBrowser: (SpeedBit Video Downloader) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Program Files\SpeedBit Video Downloader\Toolbar\tbcore3.dll ()

O3 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O3 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe (Adobe Sytems Incorporated)

O4 - HKLM..\Run: [stacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\stacsystray.exe (Sigmatel)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\caequ.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WLanUtil.exe ()

O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\evfoi.exe ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O7 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-1644491937-562591055-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: &Clean Traces - C:\Program Files\Download Accelerator Plus\Privacy Package\dapcleanerie.htm ()

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\Download Accelerator Plus\dapextie.htm ()

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\Download Accelerator Plus\dapextie2.htm ()

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()

O9 - Extra Button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Flash Decompiler Trillix\saveflash\iebt.dll File not found

O9 - Extra 'Tools' menuitem : Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Flash Decompiler Trillix\saveflash\iebt.dll File not found

O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra Button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()

O9 - Extra 'Tools' menuitem : Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1196226844085 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)

O16 - DPF: Web-Based Email Tools https://email.secureserver.net/Download.CAB (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\windows\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/11/27 20:05:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2006/10/27 22:34:32 | 000,000,175 | R--- | M] () - D:\autorun.inf -- [ UDF ]

O33 - MountPoints2\{2a265d8c-ff84-11dd-9d58-00904b728919}\Shell - "" = AutoRun

O33 - MountPoints2\{2a265d8c-ff84-11dd-9d58-00904b728919}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{2a265d8c-ff84-11dd-9d58-00904b728919}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/26 12:11:50 | 000,052,432 | ---- | C] (Kaspersky Lab, SLA) -- C:\windows\System32\drivers\klmd.sys

[2010/06/26 11:49:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\bvftnpqgj

[2010/06/23 14:56:46 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/06/22 21:12:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Desktop\AV Sec Ste Virus Fixes

[2010/06/21 18:57:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2010/06/21 18:57:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[2010/06/18 20:10:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\ibyavpydp

[2010/06/16 17:33:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Free AVI MPEG WMV MP4 FLV Video Joiner

[2010/06/16 14:12:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\My Documents\My DAP Downloads

[2010/06/16 14:11:53 | 000,172,032 | ---- | C] (Jin Hui E-mail: jinhui@jcomsoft.com Web: http://www.jcomsoft.com) -- C:\windows\System32\AniGIF.ocx

[2010/06/16 14:11:50 | 000,000,000 | ---D | C] -- C:\Program Files\Download Accelerator Plus

[2010/06/16 14:11:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Toolbar4

[2010/06/16 14:11:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SpeedBit

[2010/06/16 14:11:12 | 000,000,000 | ---D | C] -- C:\Program Files\SearchPredict

[2010/06/16 14:11:10 | 000,000,000 | ---D | C] -- C:\Program Files\SpeedBit Video Downloader

[2010/06/13 18:00:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\My Documents\StreamTransport

[2010/06/13 17:54:07 | 003,982,240 | ---- | C] (Adobe Systems, Inc.) -- C:\windows\System32\Flash10d.ocx

[2010/06/13 17:54:06 | 000,000,000 | ---D | C] -- C:\Program Files\StreamTransport

[2010/06/13 14:45:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Application Data\Moyea

[2010/06/13 12:41:05 | 000,000,000 | ---D | C] -- C:\tmpDownload

[2010/06/13 12:41:05 | 000,000,000 | ---D | C] -- C:\Download

[2010/06/13 12:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rob\Local Settings\Application Data\PCHealth

[2010/06/12 23:32:14 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Music Downloader

[2010/06/12 23:24:58 | 000,000,000 | ---D | C] -- C:\Program Files\Hulu Downloader

[2010/06/06 00:53:13 | 000,000,000 | ---D | C] -- C:\Program Files\DVDFab 7

[2010/06/04 13:03:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SourceTec

[2010/06/04 11:25:28 | 000,000,000 | ---D | C] -- C:\Program Files\SWF Picture Extractor

[2010/06/03 16:21:05 | 000,000,000 | -HSD | C] -- C:\windows\Installer

[2010/02/16 12:01:35 | 000,021,510 | ---- | C] ( ) -- C:\windows\System32\drivers\SCI1PL.SYS

[2010/02/16 12:01:35 | 000,008,679 | ---- | C] ( ) -- C:\windows\System32\drivers\SCI0PL.SYS

[2004/11/24 12:25:52 | 000,335,872 | ---- | C] ( ) -- C:\windows\System32\drvc.dll

[5 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/26 14:25:24 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Rob\defogger_reenable

[2010/06/26 13:24:21 | 000,013,646 | ---- | M] () -- C:\windows\System32\wpa.dbl

[2010/06/26 13:23:45 | 000,000,236 | ---- | M] () -- C:\windows\tasks\OGALogon.job

[2010/06/26 13:23:45 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT

[2010/06/26 13:23:39 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat

[2010/06/26 13:22:44 | 016,777,216 | ---- | M] () -- C:\Documents and Settings\Rob\ntuser.dat

[2010/06/26 13:22:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Rob\ntuser.ini

[2010/06/26 13:21:51 | 005,396,660 | -H-- | M] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\IconCache.db

[2010/06/26 12:11:50 | 000,052,432 | ---- | M] (Kaspersky Lab, SLA) -- C:\windows\System32\drivers\klmd.sys

[2010/06/26 09:37:17 | 000,170,496 | ---- | M] () -- C:\Documents and Settings\Rob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/06/25 22:12:46 | 080,398,104 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\jdk-6u20-windows-i586.exe

[2010/06/25 16:59:57 | 000,000,038 | ---- | M] () -- C:\windows\AviSplitter.INI

[2010/06/23 14:40:14 | 000,000,227 | ---- | M] () -- C:\windows\system.ini

[2010/06/23 14:39:50 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts

[2010/06/22 12:00:05 | 000,528,920 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI

[2010/06/22 12:00:05 | 000,446,154 | ---- | M] () -- C:\windows\System32\perfh009.dat

[2010/06/22 12:00:05 | 000,073,088 | ---- | M] () -- C:\windows\System32\perfc009.dat

[2010/06/21 19:39:05 | 000,000,120 | ---- | M] () -- C:\windows\Jqoqokezezocohof.dat

[2010/06/21 18:57:33 | 000,001,324 | ---- | M] () -- C:\windows\System32\d3d9caps.dat

[2010/06/21 00:29:42 | 000,000,000 | ---- | M] () -- C:\windows\Rxesalifipulukel.bin

[2010/06/16 14:11:53 | 000,172,032 | ---- | M] (Jin Hui E-mail: jinhui@jcomsoft.com Web: http://www.jcomsoft.com) -- C:\windows\System32\AniGIF.ocx

[2010/06/13 23:39:53 | 000,783,777 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\vso_ts_preview.xml

[2010/06/13 17:54:11 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\ StreamTransport.lnk

[2010/06/12 16:48:46 | 000,525,568 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT

[2010/06/12 13:56:39 | 000,001,374 | ---- | M] () -- C:\windows\imsins.BAK

[2010/06/09 17:33:40 | 000,028,000 | ---- | M] () -- C:\Documents and Settings\Rob\My Documents\index.swf

[2010/06/06 00:53:18 | 000,000,646 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\DVDFab 7.lnk

[2010/06/06 00:53:18 | 000,000,628 | ---- | M] () -- C:\Documents and Settings\Rob\Desktop\DVDFab 7.lnk

[2010/06/04 13:03:20 | 000,014,699 | ---- | M] () -- C:\windows\unins000.dat

[2010/06/04 13:02:15 | 000,695,642 | ---- | M] () -- C:\windows\unins000.exe

[2010/06/04 11:25:29 | 000,001,784 | ---- | M] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\SWF Picture Extractor.lnk

[5 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/26 14:25:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Rob\defogger_reenable

[2010/06/25 22:12:46 | 080,398,104 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\jdk-6u20-windows-i586.exe

[2010/06/25 12:20:40 | 000,000,038 | ---- | C] () -- C:\windows\AviSplitter.INI

[2010/06/18 21:17:25 | 000,001,324 | ---- | C] () -- C:\windows\System32\d3d9caps.dat

[2010/06/18 20:12:05 | 000,000,000 | ---- | C] () -- C:\windows\Rxesalifipulukel.bin

[2010/06/18 20:12:04 | 000,000,120 | ---- | C] () -- C:\windows\Jqoqokezezocohof.dat

[2010/06/13 17:54:11 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\ StreamTransport.lnk

[2010/06/09 17:35:15 | 000,028,000 | ---- | C] () -- C:\Documents and Settings\Rob\My Documents\index.swf

[2010/06/06 00:53:18 | 000,000,646 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\DVDFab 7.lnk

[2010/06/06 00:53:18 | 000,000,628 | ---- | C] () -- C:\Documents and Settings\Rob\Desktop\DVDFab 7.lnk

[2010/06/04 13:03:18 | 000,695,642 | ---- | C] () -- C:\windows\unins000.exe

[2010/06/04 13:03:18 | 000,014,699 | ---- | C] () -- C:\windows\unins000.dat

[2010/06/04 11:25:28 | 000,001,784 | ---- | C] () -- C:\Documents and Settings\Rob\Application Data\Microsoft\Internet Explorer\Quick Launch\SWF Picture Extractor.lnk

[2010/06/03 16:20:45 | 000,001,374 | ---- | C] () -- C:\windows\imsins.BAK

[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\windows\System32\OGACheckControl.dll

[2008/12/19 08:15:58 | 004,338,246 | ---- | C] () -- C:\windows\System32\libavcodec.dll

[2008/12/17 10:41:18 | 000,884,237 | ---- | C] () -- C:\windows\System32\ff_x264.dll

[2008/12/17 10:22:58 | 000,093,184 | ---- | C] () -- C:\windows\System32\ff_wmv9.dll

[2008/12/17 10:22:48 | 000,057,344 | ---- | C] () -- C:\windows\System32\ff_vfw.dll

[2008/12/17 10:17:34 | 000,239,247 | ---- | C] () -- C:\windows\System32\ff_theora.dll

[2008/12/17 09:59:54 | 000,560,802 | ---- | C] () -- C:\windows\System32\libmplayer.dll

[2008/12/11 04:27:02 | 000,000,547 | ---- | C] () -- C:\windows\System32\ff_vfw.dll.manifest

[2008/11/06 09:37:32 | 003,596,288 | ---- | C] () -- C:\windows\System32\qt-dx331.dll

[2008/11/06 09:34:00 | 000,000,416 | ---- | C] () -- C:\windows\System32\dtu100.dll.manifest

[2008/11/06 09:34:00 | 000,000,416 | ---- | C] () -- C:\windows\System32\dpl100.dll.manifest

[2008/11/06 09:33:02 | 000,012,288 | ---- | C] () -- C:\windows\System32\DivXWMPExtType.dll

[2008/10/01 14:21:59 | 000,000,373 | ---- | C] () -- C:\windows\System32\CNCMFP20.INI

[2008/10/01 14:08:22 | 000,000,532 | ---- | C] () -- C:\windows\MAXLINK.INI

[2008/06/12 11:50:05 | 000,667,280 | ---- | C] () -- C:\windows\System32\tx12.dll

[2008/06/12 11:50:05 | 000,000,530 | ---- | C] () -- C:\windows\System32\tx12_ic.ini

[2008/05/31 20:57:51 | 000,069,632 | R--- | C] () -- C:\windows\System32\xmltok.dll

[2008/05/31 20:57:51 | 000,036,864 | R--- | C] () -- C:\windows\System32\xmlparse.dll

[2008/04/02 14:49:00 | 000,000,021 | ---- | C] () -- C:\windows\THUMBV~1.INI

[2008/04/02 13:40:47 | 000,000,107 | ---- | C] () -- C:\windows\marscam.ini

[2008/04/02 13:29:40 | 000,000,029 | ---- | C] () -- C:\windows\DEBUGSM.INI

[2007/11/28 19:43:06 | 000,000,170 | ---- | C] () -- C:\windows\wininit.ini

[2007/11/28 19:40:53 | 000,000,376 | ---- | C] () -- C:\windows\ODBC.INI

[2007/11/27 22:07:15 | 000,028,672 | ---- | C] () -- C:\windows\System32\InsDrvZD.dll

[2007/11/27 20:48:36 | 000,192,512 | ---- | C] () -- C:\windows\System32\stac97co.dll

[2005/11/18 11:47:26 | 000,000,000 | ---- | C] () -- C:\windows\System32\px.ini

[2004/10/03 10:50:54 | 000,129,024 | ---- | C] () -- C:\windows\System32\ff_mpeg2enc.dll

[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\windows\System32\OUTLPERF.INI

[2001/10/12 10:58:20 | 000,028,672 | ---- | C] () -- C:\windows\System32\mr310exd.dll

[2001/10/12 10:57:18 | 000,036,864 | ---- | C] () -- C:\windows\System32\mr310exv.dll

[2000/12/07 10:13:58 | 000,015,164 | ---- | C] () -- C:\windows\Mr310twv.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\windows\AGRSMMSG.exe:SummaryInformation

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F4CA4D70

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:010ADD2C

< End of report >

I will have a beer while you make your decision. And YES, I will have one for you too! ;)

Link to post
Share on other sites

Here is the ComboFix Log. I also have an MBAM Log which was run right after ComboFix and it showed 27 infections - which I fixed and then re-booted my computer.

ComboFix Log:

ComboFix 10-06-22.02 - Rob 06/27/2010 11:20:12.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.593 [GMT -7:00]

Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))

.

2010-06-26 19:11 . 2010-06-26 19:11 52432 ----a-w- c:\windows\system32\drivers\klmd.sys

2010-06-26 18:49 . 2010-06-26 20:21 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\bvftnpqgj

2010-06-22 01:57 . 2010-06-22 01:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-06-19 04:17 . 2010-06-22 01:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-19 03:12 . 2010-06-21 07:29 0 ----a-w- c:\windows\Rxesalifipulukel.bin

2010-06-19 03:12 . 2010-06-22 02:39 120 ----a-w- c:\windows\Jqoqokezezocohof.dat

2010-06-19 03:10 . 2010-06-19 05:12 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\ibyavpydp

2010-06-17 01:01 . 2010-06-17 01:01 95744 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\SDCondition.dll

2010-06-17 00:33 . 2010-06-17 00:33 -------- d-----w- c:\documents and settings\Rob\Application Data\Free AVI MPEG WMV MP4 FLV Video Joiner

2010-06-16 23:10 . 2010-06-16 23:10 3509272 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Offers\VA31_DapSo.exe

2010-06-16 21:11 . 2010-06-16 23:11 -------- d-----w- c:\program files\Download Accelerator Plus

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\documents and settings\Rob\Application Data\Toolbar4

2010-06-16 21:11 . 2010-06-16 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\program files\SearchPredict

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\program files\SpeedBit Video Downloader

2010-06-14 00:54 . 2010-06-14 00:54 -------- d-----w- c:\program files\StreamTransport

2010-06-13 21:45 . 2010-06-13 21:45 -------- d-----w- c:\documents and settings\Rob\Application Data\Moyea

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- C:\tmpDownload

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- C:\Download

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\PCHealth

2010-06-13 06:32 . 2010-06-14 00:53 -------- d-----w- c:\program files\YouTube Music Downloader

2010-06-13 06:24 . 2010-06-13 22:09 -------- d-----w- c:\program files\Hulu Downloader

2010-06-06 07:53 . 2010-06-06 07:53 -------- d-----w- c:\program files\DVDFab 7

2010-06-04 20:03 . 2010-06-04 20:03 -------- d-----w- c:\program files\Common Files\SourceTec

2010-06-04 20:03 . 2010-06-04 20:03 14699 ----a-w- c:\windows\unins000.dat

2010-06-04 20:03 . 2010-06-04 20:02 695642 ----a-w- c:\windows\unins000.exe

2010-06-04 18:25 . 2010-06-04 18:26 -------- d-----w- c:\program files\SWF Picture Extractor

2010-06-03 23:21 . 2010-06-26 05:39 -------- d-sh--w- c:\windows\Installer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-26 16:10 . 2009-09-16 03:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-23 21:52 . 2004-08-04 10:00 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.sys

2010-06-23 18:43 . 2010-01-21 16:43 -------- d-----w- c:\documents and settings\Rob\Application Data\Waim

2010-06-17 21:44 . 2009-02-15 23:08 -------- d-----w- c:\program files\Vuze

2010-06-17 21:41 . 2009-02-15 23:09 -------- d-----w- c:\documents and settings\Rob\Application Data\Azureus

2010-06-14 06:39 . 2010-04-17 04:21 -------- d-----w- c:\documents and settings\Rob\Application Data\Vso

2010-06-14 06:27 . 2010-04-18 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2010-06-13 20:00 . 2010-03-07 02:41 -------- d-----w- c:\program files\Advanced SystemCare 3

2010-06-13 05:24 . 2010-03-19 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-06-09 20:11 . 2010-03-03 23:47 -------- d-----w- c:\documents and settings\Rob\Application Data\ImgBurn

2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\uxvaloyi.exe

2010-05-24 16:04 . 2010-05-24 16:05 1145856 ----a-w- C:\Winphlash1656.exe

2010-05-19 20:36 . 2008-08-11 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-12 23:23 . 2008-08-11 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-12 18:30 . 2008-10-28 20:07 -------- d-----w- c:\documents and settings\Rob\Application Data\U3

2010-05-12 00:23 . 2010-05-11 23:25 -------- d-----w- c:\program files\CaptureFlash

2010-05-10 06:26 . 2010-04-17 23:47 -------- d-----w- c:\program files\ConvertXtoDVD

2010-05-09 04:22 . 2010-05-09 02:52 -------- d-----w- c:\program files\Spyware Doctor

2010-05-09 03:47 . 2009-12-17 23:06 -------- d-----w- c:\program files\NOS

2010-05-09 03:10 . 2010-05-09 02:52 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-04 17:20 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-30 22:40 . 2009-12-17 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-04-30 22:36 . 2010-04-30 22:36 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-04-29 22:39 . 2008-08-11 23:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2008-08-11 23:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-19 01:02 . 2010-04-19 01:02 466136 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\documents and settings\Rob\Application Data\pcouffin.sys

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\documents and settings\Rob\Application Data\pcouffin.sys

2010-04-16 23:25 . 2010-04-16 23:22 90112 ----a-w- c:\windows\system32\videoul.tmp

.

((((((((((((((((((((((((((((( SnapShot_2010-06-22_19.23.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-27 18:15 . 2010-06-27 18:15 16384 c:\windows\temp\Perflib_Perfdata_11c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3017FB3E-9A77-4396-88C5-0EC9548FB42F}]

2010-06-16 21:11 2447360 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StacSysTray"="c:\program files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 102400]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

IEEE 802.11g USB Wireless LAN Utility.lnk - c:\program files\Wireless LAN\WLanUtil.exe [2007-11-27 393216]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]

2005-04-05 02:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2007-03-29 22:41 222128 ----a-w- c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-17 17:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]

2009-09-26 07:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 23:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-11-30 06:12 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wben]

2009-06-25 21:30 338456 ----a-w- c:\program files\Starfield\Desktop Notifier\wben.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"c:\\Program Files\\Halo\\halo.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]

S0 efyosqni;efyosqni; [x]

S2 SigService;Sigmatel Service;c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [11/27/2007 8:49 PM 81920]

S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys [6/26/2010 12:11 PM 52432]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 11:29 AM 118106]

S3 pnicml;pnicml;\??\c:\docume~1\Rob\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Rob\LOCALS~1\Temp\pnicml.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-06-27 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uInternet Settings,ProxyOverride = <local>

IE: &Clean Traces - c:\program files\Download Accelerator Plus\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\Download Accelerator Plus\dapextie.htm

IE: Download &all with DAP - c:\program files\Download Accelerator Plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmd23.sys

SafeBoot-klmdb.sys

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c0,e0,d6,b4,b9,a1,21,c7,f5,b5,bc,c5,9c,55,e8,60,9d,3f,ce,d0,10,24,71,

30,0a,f7,e7,0c,f5,a5,a1,d0,da,3d,75,c8,97,9d,91,8a,77,88,6e,b4,6a,66,9c,b3,\

"??"=hex:59,52,4d,96,40,27,6e,8f,7c,35,3d,81,cd,0f,89,4c

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:c2,1e,91,d7,9c,ef,c0,ad,7f,a9,be,b9,ef,ec,85,23,86,18,f1,f2,41,

6c,29,51,55,a2,cd,23,74,8d,c0,a9,68,0c,02,cf,15,85,69,26,eb,9d,4f,2c,a3,09,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2992)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-27 11:27:50

ComboFix-quarantined-files.txt 2010-06-27 18:27

ComboFix2.txt 2010-06-23 04:35

ComboFix3.txt 2010-06-22 19:27

ComboFix4.txt 2010-05-12 22:39

Pre-Run: 13,379,624,960 bytes free

Post-Run: 13,431,271,424 bytes free

- - End Of File - - C3CD00B4EC8324047AA5EC3F8735EF59

MBAM Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4247

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

6/27/2010 12:32:20 PM

mbam-log-2010-06-27 (12-32-20).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|U:\|)

Objects scanned: 235027

Time elapsed: 50 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 24

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Rob\My Documents\Downloaded Programs\Flash & Media Software\Software to Extract SWF Pics\flashimageexractor.exe (Trojan.Cycler) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\mdshol.dll.vir (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\hrskcdec.dll.vir (Adware.AdShot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\arttvriu.dll.vir (Adware.Lifze) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\cyuuv.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gyuuv.dll.vir (Adware.AdShot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\khtei.exe.vir (Adware.Adshot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tyuuv.exe.vir (Adware.Adshot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\vcxyvcobktfktq.exe.vir (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP13\A0003419.dll (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP13\A0003427.dll (Adware.AdShot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP13\A0003430.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP13\A0003431.dll (Adware.AdRotator) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP13\A0003432.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP13\A0004469.exe (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006736.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006739.dll (Adware.Lifze) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006740.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006743.dll (Adware.AdShot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006744.dll (Adware.AdShot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006751.exe (Adware.Adshot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006754.exe (Adware.Adrotator) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006989.exe (Adware.Adshot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uxvaloyi.exe (Adware.Lifze) -> Quarantined and deleted successfully.

Thanks... again.

Link to post
Share on other sites

Hello again, lets clean up some leftovers here Please let me know at this moment, what issues you are still having.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>

Driver::
efyosqni

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

INSTALL ANTIVIRUS

---------------------------

I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated

New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

Three good antivirus programs free for non-commercial home use are Avast!, Antivir and Microsoft Security Essentials

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Link to post
Share on other sites

Hi, Elise.

I do not seem to have any issues at this point. I ran MBAM one final time, and no infected files were found. Thank you very much for your help and your patience.

I will load Avira Antivirus as I had planned to just before this happened. I will also get the PRO version of MBAM. As for JAVA, what do you suggest? Should I just install the latest update version you had me download? As a side note, is it correct that I could not have done a sys restore as this virus would have still infected my registry or elsewhere?

Here is the latest ComboFix Log:

ComboFix 10-06-27.03 - Rob 06/27/2010 19:52:02.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.529 [GMT -7:00]

Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Rob\Desktop\CFScript.txt

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

G:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_EFYOSQNI

-------\Service_efyosqni

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))

.

2010-06-27 19:46 . 2010-06-16 21:11 62464 ----a-w- c:\documents and settings\Rob\Application Data\Toolbar4\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}\update.exe

2010-06-27 19:46 . 2010-06-16 21:11 48128 ----a-w- c:\documents and settings\Rob\Application Data\Toolbar4\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}\uninstall.exe

2010-06-26 19:11 . 2010-06-26 19:11 52432 ----a-w- c:\windows\system32\drivers\klmd.sys

2010-06-26 18:49 . 2010-06-26 20:21 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\bvftnpqgj

2010-06-22 01:57 . 2010-06-22 01:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-06-19 04:17 . 2010-06-22 01:57 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-19 03:12 . 2010-06-21 07:29 0 ----a-w- c:\windows\Rxesalifipulukel.bin

2010-06-19 03:12 . 2010-06-22 02:39 120 ----a-w- c:\windows\Jqoqokezezocohof.dat

2010-06-19 03:10 . 2010-06-19 05:12 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\ibyavpydp

2010-06-17 01:01 . 2010-06-17 01:01 95744 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\SDCondition.dll

2010-06-17 00:33 . 2010-06-17 00:33 -------- d-----w- c:\documents and settings\Rob\Application Data\Free AVI MPEG WMV MP4 FLV Video Joiner

2010-06-16 23:10 . 2010-06-16 23:10 3509272 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Offers\VA31_DapSo.exe

2010-06-16 21:11 . 2010-06-16 23:11 -------- d-----w- c:\program files\Download Accelerator Plus

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\documents and settings\Rob\Application Data\Toolbar4

2010-06-16 21:11 . 2010-06-16 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\program files\SearchPredict

2010-06-16 21:11 . 2010-06-16 21:11 -------- d-----w- c:\program files\SpeedBit Video Downloader

2010-06-14 00:54 . 2010-06-14 00:54 -------- d-----w- c:\program files\StreamTransport

2010-06-13 21:45 . 2010-06-13 21:45 -------- d-----w- c:\documents and settings\Rob\Application Data\Moyea

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- C:\tmpDownload

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- C:\Download

2010-06-13 19:41 . 2010-06-13 19:41 -------- d-----w- c:\documents and settings\Rob\Local Settings\Application Data\PCHealth

2010-06-13 06:32 . 2010-06-14 00:53 -------- d-----w- c:\program files\YouTube Music Downloader

2010-06-13 06:24 . 2010-06-13 22:09 -------- d-----w- c:\program files\Hulu Downloader

2010-06-06 07:53 . 2010-06-06 07:53 -------- d-----w- c:\program files\DVDFab 7

2010-06-04 20:03 . 2010-06-04 20:03 -------- d-----w- c:\program files\Common Files\SourceTec

2010-06-04 20:03 . 2010-06-04 20:03 14699 ----a-w- c:\windows\unins000.dat

2010-06-04 20:03 . 2010-06-04 20:02 695642 ----a-w- c:\windows\unins000.exe

2010-06-04 18:25 . 2010-06-04 18:26 -------- d-----w- c:\program files\SWF Picture Extractor

2010-06-03 23:21 . 2010-06-26 05:39 -------- d-sh--w- c:\windows\Installer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-28 02:20 . 2010-04-17 04:21 -------- d-----w- c:\documents and settings\Rob\Application Data\Vso

2010-06-28 00:28 . 2009-09-16 03:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-23 21:52 . 2004-08-04 10:00 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.sys

2010-06-23 18:43 . 2010-01-21 16:43 -------- d-----w- c:\documents and settings\Rob\Application Data\Waim

2010-06-17 21:44 . 2009-02-15 23:08 -------- d-----w- c:\program files\Vuze

2010-06-17 21:41 . 2009-02-15 23:09 -------- d-----w- c:\documents and settings\Rob\Application Data\Azureus

2010-06-14 06:27 . 2010-04-18 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk

2010-06-13 20:00 . 2010-03-07 02:41 -------- d-----w- c:\program files\Advanced SystemCare 3

2010-06-13 05:24 . 2010-03-19 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-06-09 20:11 . 2010-03-03 23:47 -------- d-----w- c:\documents and settings\Rob\Application Data\ImgBurn

2010-05-24 16:04 . 2010-05-24 16:05 1145856 ----a-w- C:\Winphlash1656.exe

2010-05-19 20:36 . 2008-08-11 12:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-12 23:23 . 2008-08-11 23:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-12 18:30 . 2008-10-28 20:07 -------- d-----w- c:\documents and settings\Rob\Application Data\U3

2010-05-12 00:23 . 2010-05-11 23:25 -------- d-----w- c:\program files\CaptureFlash

2010-05-10 06:26 . 2010-04-17 23:47 -------- d-----w- c:\program files\ConvertXtoDVD

2010-05-09 04:22 . 2010-05-09 02:52 -------- d-----w- c:\program files\Spyware Doctor

2010-05-09 03:47 . 2009-12-17 23:06 -------- d-----w- c:\program files\NOS

2010-05-09 03:10 . 2010-05-09 02:52 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-04 17:20 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-30 22:40 . 2009-12-17 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-04-30 22:36 . 2010-04-30 22:36 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-04-29 22:39 . 2008-08-11 23:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2008-08-11 23:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-19 01:02 . 2010-04-19 01:02 466136 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\documents and settings\Rob\Application Data\pcouffin.sys

2010-04-17 23:47 . 2010-04-17 23:47 47360 ----a-w- c:\documents and settings\Rob\Application Data\pcouffin.sys

2010-04-16 23:25 . 2010-04-16 23:22 90112 ----a-w- c:\windows\system32\videoul.tmp

.

((((((((((((((((((((((((((((( SnapShot_2010-06-22_19.23.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-28 02:58 . 2010-06-28 02:58 16384 c:\windows\temp\Perflib_Perfdata_348.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3017FB3E-9A77-4396-88C5-0EC9548FB42F}]

2010-06-16 21:11 2447360 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StacSysTray"="c:\program files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe" [2004-04-29 102400]

"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-05 856064]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

IEEE 802.11g USB Wireless LAN Utility.lnk - c:\program files\Wireless LAN\WLanUtil.exe [2007-11-27 393216]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rob^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Rob\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]

2005-04-05 02:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2007-03-29 22:41 222128 ----a-w- c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]

2003-12-17 17:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]

2009-09-26 07:31 185640 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 23:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-11-30 06:12 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wben]

2009-06-25 21:30 338456 ----a-w- c:\program files\Starfield\Desktop Notifier\wben.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=

"c:\\Program Files\\Halo\\halo.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]

R2 SigService;Sigmatel Service;c:\program files\SigmaTel\C-Major Audio\ControlPanel\sigservice.exe [11/27/2007 8:49 PM 81920]

S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys [6/26/2010 12:11 PM 52432]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [3/30/2004 11:29 AM 118106]

S3 pnicml;pnicml;\??\c:\docume~1\Rob\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Rob\LOCALS~1\Temp\pnicml.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

IE: &Clean Traces - c:\program files\Download Accelerator Plus\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\program files\Download Accelerator Plus\dapextie.htm

IE: Download &all with DAP - c:\program files\Download Accelerator Plus\dapextie2.htm

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

DPF: Web-Based Email Tools - hxxps://email.secureserver.net/Download.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-27 19:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:c0,e0,d6,b4,b9,a1,21,c7,f5,b5,bc,c5,9c,55,e8,60,9d,3f,ce,d0,10,24,71,

30,0a,f7,e7,0c,f5,a5,a1,d0,da,3d,75,c8,97,9d,91,8a,77,88,6e,b4,6a,66,9c,b3,\

"??"=hex:59,52,4d,96,40,27,6e,8f,7c,35,3d,81,cd,0f,89,4c

[HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:c2,1e,91,d7,9c,ef,c0,ad,7f,a9,be,b9,ef,ec,85,23,86,18,f1,f2,41,

6c,29,51,55,a2,cd,23,74,8d,c0,a9,68,0c,02,cf,15,85,69,26,eb,9d,4f,2c,a3,09,\

"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(576)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe

c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe

.

**************************************************************************

.

Completion time: 2010-06-27 20:03:06 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-28 03:03

ComboFix2.txt 2010-06-23 04:35

ComboFix3.txt 2010-06-22 19:27

ComboFix4.txt 2010-05-12 22:39

Pre-Run: 13,387,636,736 bytes free

Post-Run: 13,293,277,184 bytes free

- - End Of File - - A9822BF41E4B4C81CBE0DDB226B2F8EB

Link to post
Share on other sites

Hello again,

As for JAVA, what do you suggest? Should I just install the latest update version you had me download? As a side note, is it correct that I could not have done a sys restore as this virus would have still infected my registry or elsewhere?
Yes, please install Java 6 update 20.

System restore is not to be used to get rid of malware. Often trances are still there or the malware has corrupted system restore altogether. Once you are clean, we will reset system restore, so you can be sure its fine to use in case you need it.

Please install Avira ASAP; you stay unprotected now. Once installed run a full scan and let me know what was found.

Link to post
Share on other sites

I have done the following:

- installed Avira Antivir = successful

- ran scan = had 9 detections

- installed Java 6 Update 20 = successful, but still couldn't remove older versions

- tried to install Windows updates (.net framework) = not successful - don't know why

Here is the Avira report:

Avira AntiVir Personal

Report file date: Monday, June 28, 2010 23:48

Scanning for 2276624 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : ROB-CCA219EB460

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 20:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 20:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 02:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 01:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 00:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 19:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 04:11:01

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 04:11:27

VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 04:11:27

VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 04:11:28

VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 04:11:28

VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 04:11:28

VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 04:11:28

VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 04:11:28

VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 04:11:32

VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 04:11:33

VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 04:11:35

VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 04:11:37

VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 04:11:42

VBASE018.VDF : 7.10.8.194 133632 Bytes 6/27/2010 06:47:07

VBASE019.VDF : 7.10.8.195 2048 Bytes 6/27/2010 06:47:07

VBASE020.VDF : 7.10.8.196 2048 Bytes 6/27/2010 06:47:07

VBASE021.VDF : 7.10.8.197 2048 Bytes 6/27/2010 06:47:08

VBASE022.VDF : 7.10.8.198 2048 Bytes 6/27/2010 06:47:08

VBASE023.VDF : 7.10.8.199 2048 Bytes 6/27/2010 06:47:08

VBASE024.VDF : 7.10.8.200 2048 Bytes 6/27/2010 06:47:08

VBASE025.VDF : 7.10.8.201 2048 Bytes 6/27/2010 06:47:08

VBASE026.VDF : 7.10.8.202 2048 Bytes 6/27/2010 06:47:09

VBASE027.VDF : 7.10.8.203 2048 Bytes 6/27/2010 06:47:09

VBASE028.VDF : 7.10.8.204 2048 Bytes 6/27/2010 06:47:09

VBASE029.VDF : 7.10.8.205 2048 Bytes 6/27/2010 06:47:09

VBASE030.VDF : 7.10.8.206 2048 Bytes 6/27/2010 06:47:10

VBASE031.VDF : 7.10.8.211 75776 Bytes 6/28/2010 06:47:10

Engineversion : 8.2.4.2

AEVDF.DLL : 8.1.2.0 106868 Bytes 6/28/2010 04:12:22

AESCRIPT.DLL : 8.1.3.33 1356155 Bytes 6/28/2010 04:12:22

AESCN.DLL : 8.1.6.1 127347 Bytes 6/28/2010 04:12:17

AESBX.DLL : 8.1.3.1 254324 Bytes 6/28/2010 04:12:23

AERDL.DLL : 8.1.4.6 541043 Bytes 6/28/2010 04:12:16

AEPACK.DLL : 8.2.2.5 430453 Bytes 6/28/2010 04:12:13

AEOFFICE.DLL : 8.1.1.0 201081 Bytes 6/28/2010 04:12:10

AEHEUR.DLL : 8.1.1.38 2724214 Bytes 6/28/2010 04:12:09

AEHELP.DLL : 8.1.11.6 242038 Bytes 6/28/2010 04:11:56

AEGEN.DLL : 8.1.3.12 377204 Bytes 6/28/2010 04:11:54

AEEMU.DLL : 8.1.2.0 393588 Bytes 6/28/2010 04:11:52

AECORE.DLL : 8.1.15.3 192886 Bytes 6/28/2010 04:11:51

AEBB.DLL : 8.1.1.0 53618 Bytes 6/28/2010 04:11:49

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 20:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 20:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/19/2010 00:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 20:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 20:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 20:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 17:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 20:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 23:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 22:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 21:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 22:14:29

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Monday, June 28, 2010 23:48

Starting search for hidden objects.

c:\windows\repair\backup\servicestate\configdirectory\default.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\default.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\internet.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\sam.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\sam.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\security.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\security.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\software.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\software.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\system.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\system.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\userdiff

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\userdiff.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\eventlogs\appevent.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\eventlogs\encina.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\eventlogs\secevent.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\eventlogs\sysevent.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\removablestoragemanager\ntmsdata

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\removablestoragemanager\ntmsreg

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The directory is not visible.

c:\windows\repair\backup\servicestate\eventlogs

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The directory is not visible.

c:\windows\repair\backup\servicestate\removablestoragemanager

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The directory is not visible.

HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information\datasecu

[NOTE] The registry entry is invisible.

HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information\rkeysecu

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist

[NOTE] The registry entry is invisible.

The scan of running processes will be started

Scan process 'rsmsink.exe' - '29' Module(s) have been scanned

Scan process 'dllhost.exe' - '45' Module(s) have been scanned

Scan process 'avscan.exe' - '67' Module(s) have been scanned

Scan process 'vssvc.exe' - '48' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '118' Module(s) have been scanned

Scan process 'dllhost.exe' - '50' Module(s) have been scanned

Scan process 'avcenter.exe' - '61' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '122' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '129' Module(s) have been scanned

Scan process 'mshta.exe' - '62' Module(s) have been scanned

Scan process 'wuauclt.exe' - '36' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '118' Module(s) have been scanned

Scan process 'freecell.exe' - '25' Module(s) have been scanned

Scan process 'alg.exe' - '33' Module(s) have been scanned

Scan process 'mysqld-nt.exe' - '20' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'jqs.exe' - '33' Module(s) have been scanned

Scan process 'avshadow.exe' - '26' Module(s) have been scanned

Scan process 'FreeAgentService.exe' - '38' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '29' Module(s) have been scanned

Scan process 'WLanUtil.exe' - '35' Module(s) have been scanned

Scan process 'avguard.exe' - '54' Module(s) have been scanned

Scan process 'VersionCueCS2.exe' - '64' Module(s) have been scanned

Scan process 'ctfmon.exe' - '25' Module(s) have been scanned

Scan process 'stacsrv.exe' - '33' Module(s) have been scanned

Scan process 'avgnt.exe' - '51' Module(s) have been scanned

Scan process 'VersionCueCS2Tray.exe' - '20' Module(s) have been scanned

Scan process 'StacSysTray.exe' - '29' Module(s) have been scanned

Scan process 'Explorer.EXE' - '145' Module(s) have been scanned

Scan process 'Ati2evxx.exe' - '20' Module(s) have been scanned

Scan process 'svchost.exe' - '33' Module(s) have been scanned

Scan process 'sched.exe' - '45' Module(s) have been scanned

Scan process 'sigservice.exe' - '21' Module(s) have been scanned

Scan process 'spoolsv.exe' - '62' Module(s) have been scanned

Scan process 'svchost.exe' - '37' Module(s) have been scanned

Scan process 'svchost.exe' - '30' Module(s) have been scanned

Scan process 'svchost.exe' - '174' Module(s) have been scanned

Scan process 'svchost.exe' - '38' Module(s) have been scanned

Scan process 'svchost.exe' - '53' Module(s) have been scanned

Scan process 'Ati2evxx.exe' - '15' Module(s) have been scanned

Scan process 'lsass.exe' - '58' Module(s) have been scanned

Scan process 'services.exe' - '36' Module(s) have been scanned

Scan process 'winlogon.exe' - '80' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '1802' files ).

Starting the file scan:

Begin scan in 'C:\' <New Volume>

C:\Documents and Settings\Rob\My Documents\Downloaded Programs\Flash & Media Software\Software to Capture Flash\Capture Flash\Capture Flash.zip

[0] Archive type: ZIP

[DETECTION] Is the TR/Dropper.Gen Trojan

--> Capture Flash/captureflash.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

C:\Program Files\7-Zip\Uninstall.exe

[WARNING] Insufficient memory. The file was not scanned.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ACPIEC.sys.vir

[DETECTION] Is the TR/Patched.Gen Trojan

C:\SDFix\backups_old\backups.zip

[0] Archive type: ZIP

[DETECTION] Contains recognition pattern of the DR/Zlob.Gen dropper

--> backups/lphcjdqj0eg3l.exe

[DETECTION] Contains recognition pattern of the DR/Zlob.Gen dropper

--> backups/MultiLoader.dll

[DETECTION] Contains recognition pattern of the PHISH/FraudTool.Agent.AU phishing file/email

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006683.sys

[DETECTION] Is the TR/Patched.Gen Trojan

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006944.sys

[DETECTION] Is the TR/Patched.Gen Trojan

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0007176.sys

[DETECTION] Is the TR/Patched.Gen Trojan

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0007333.sys

[DETECTION] Is the TR/Patched.Gen Trojan

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP16\A0008597.exe

[DETECTION] Is the TR/Agent.ked Trojan

Beginning disinfection:

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP16\A0008597.exe

[DETECTION] Is the TR/Agent.ked Trojan

[NOTE] The file was moved to the quarantine directory under the name '4aee9876.qua'.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0007333.sys

[DETECTION] Is the TR/Patched.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '5279b7d1.qua'.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0007176.sys

[DETECTION] Is the TR/Patched.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '0026ed39.qua'.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006944.sys

[DETECTION] Is the TR/Patched.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '6611a2fb.qua'.

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0006683.sys

[DETECTION] Is the TR/Patched.Gen Trojan

[WARNING] The file could not be copied to quarantine!

[WARNING] The file does not exist!

[NOTE] The file is scheduled for deleting after reboot.

C:\SDFix\backups_old\backups.zip

[DETECTION] Contains recognition pattern of the PHISH/FraudTool.Agent.AU phishing file/email

[NOTE] The file was moved to the quarantine directory under the name '5c59bc65.qua'.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ACPIEC.sys.vir

[DETECTION] Is the TR/Patched.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '1016900d.qua'.

C:\Documents and Settings\Rob\My Documents\Downloaded Programs\Flash & Media Software\Software to Capture Flash\Capture Flash\Capture Flash.zip

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '6ceed07f.qua'.

The repair notes were written to the file 'C:\avrescue\rescue.avp'.

End of the scan: Tuesday, June 29, 2010 11:35

Used time: 1:47:08 Hour(s)

The scan has been done completely.

15037 Scanned directories

588139 Files were scanned

9 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

7 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

588130 Files not concerned

4917 Archives were scanned

2 Warnings

8 Notes

635363 Objects were scanned with rootkit scan

25 Hidden objects were found

Thanks, Elise.

Link to post
Share on other sites

When attempting to do the regular Windows updates (.net framework), I get the following error:

"Some updates could not be installed."

Could this also be because of the cloned drive?

I was hit with the Antispyware Soft Virus (looks just like the AV Sec Ste Virus) about a month ago. At that time, I took my laptop to a computer repair place as I did not want to wait for a response from the forum on Hijack This. They cleaned everything out using a rootkit and everything seemed to be fine. The day I had them increase my RAM, my bios stopped recognizing my hard drive and my computer failed to boot. They ended up replacing my motherboard and installed a new hard drive. That is why I now have a cloned drive.

Link to post
Share on other sites

Hi, Elise.

Here is the last part of the log for 6-30-10. I am also including that Avira full scan results from today. It still found 4 viruses.

Windows Update Log:

2010-06-30 15:59:42:203 1416 2ac DnldMgr ** START ** DnldMgr: Downloading updates [CallerId = AutomaticUpdates]

2010-06-30 15:59:42:203 1416 2ac DnldMgr *********

2010-06-30 15:59:42:203 1416 2ac DnldMgr * Call ID = {0756C66C-6B84-4A87-A0C8-8704BCBA8E16}

2010-06-30 15:59:42:203 1416 2ac DnldMgr * Priority = 2, Interactive = 0, Owner is system = 1, Explicit proxy = 0, Proxy session id = -1, ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}

2010-06-30 15:59:42:218 1416 2ac DnldMgr * Updates to download = 1

2010-06-30 15:59:42:218 1416 2ac Agent * Title = Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168)

2010-06-30 15:59:42:218 1416 2ac Agent * UpdateId = {FA6E4025-F239-4137-9FD8-BA1022974754}.103

2010-06-30 15:59:42:218 1416 2ac Agent * Bundles 2 updates:

2010-06-30 15:59:42:218 1416 2ac Agent * {26B25ECB-D3DA-4A1F-9897-939A8EB1F502}.103

2010-06-30 15:59:42:218 1416 2ac Agent * {1C17F60B-2B33-4A68-A95F-5F78A4FDC253}.103

2010-06-30 15:59:42:218 1416 2ac DnldMgr *********** DnldMgr: Regulation Refresh [svc: {7971F918-A847-4430-9279-4A52D1EFE18D}] ***********

2010-06-30 15:59:42:218 1416 2ac DnldMgr * Regulation call complete. 0x00000000

2010-06-30 15:59:42:218 1416 2ac DnldMgr *********** DnldMgr: New download job [updateId = {26B25ECB-D3DA-4A1F-9897-939A8EB1F502}.103] ***********

2010-06-30 15:59:42:250 1416 2ac DnldMgr * All files for update were already downloaded and are valid.

2010-06-30 15:59:42:250 1416 2ac DnldMgr *********** DnldMgr: New download job [updateId = {1C17F60B-2B33-4A68-A95F-5F78A4FDC253}.103] ***********

2010-06-30 15:59:42:843 1416 2ac DnldMgr * All files for update were already downloaded and are valid.

2010-06-30 15:59:42:859 1416 250 AU >>## RESUMED ## AU: Download update [updateId = {FA6E4025-F239-4137-9FD8-BA1022974754}, succeeded]

2010-06-30 15:59:42:859 1416 2ac Agent *********

2010-06-30 15:59:42:859 1416 2ac Agent ** END ** Agent: Downloading updates [CallerId = AutomaticUpdates]

2010-06-30 15:59:42:859 1416 2ac Agent *************

2010-06-30 15:59:42:921 1416 2ac DnldMgr *************

2010-06-30 15:59:42:921 1416 2ac DnldMgr ** START ** DnldMgr: Downloading updates [CallerId = AutomaticUpdates]

2010-06-30 15:59:42:921 1416 2ac DnldMgr *********

2010-06-30 15:59:42:921 1416 2ac DnldMgr * Call ID = {BF2781B5-9063-4C33-89B3-2D5289AEE291}

2010-06-30 15:59:42:937 1416 2ac DnldMgr * Priority = 2, Interactive = 0, Owner is system = 1, Explicit proxy = 0, Proxy session id = -1, ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}

2010-06-30 15:59:42:937 1416 2ac DnldMgr * Updates to download = 1

2010-06-30 15:59:42:937 1416 2ac Agent * Title = Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524)

2010-06-30 15:59:42:937 1416 2ac Agent * UpdateId = {8328C689-B157-4AFC-B181-915023070C4A}.100

2010-06-30 15:59:42:937 1416 2ac Agent * Bundles 3 updates:

2010-06-30 15:59:42:937 1416 2ac Agent * {F1BC5375-8096-4476-A5B6-664C3AAEA739}.100

2010-06-30 15:59:42:937 1416 2ac Agent * {B35B600C-05A4-418A-8CD3-CDFF52F18524}.100

2010-06-30 15:59:42:937 1416 2ac Agent * {65726B5A-FE2D-4906-A388-ACCFE9009F9B}.100

2010-06-30 15:59:42:937 1416 2ac DnldMgr *********** DnldMgr: Regulation Refresh [svc: {7971F918-A847-4430-9279-4A52D1EFE18D}] ***********

2010-06-30 15:59:42:937 1416 2ac DnldMgr * Regulation call complete. 0x00000000

2010-06-30 15:59:42:937 1416 2ac DnldMgr *********** DnldMgr: New download job [updateId = {F1BC5375-8096-4476-A5B6-664C3AAEA739}.100] ***********

2010-06-30 15:59:42:953 1416 2ac DnldMgr * All files for update were already downloaded and are valid.

2010-06-30 15:59:42:953 1416 2ac DnldMgr *********** DnldMgr: New download job [updateId = {B35B600C-05A4-418A-8CD3-CDFF52F18524}.100] ***********

2010-06-30 15:59:43:015 1416 2ac DnldMgr * All files for update were already downloaded and are valid.

2010-06-30 15:59:43:015 1416 2ac DnldMgr *********** DnldMgr: New download job [updateId = {65726B5A-FE2D-4906-A388-ACCFE9009F9B}.100] ***********

2010-06-30 15:59:43:437 1416 2ac DnldMgr * All files for update were already downloaded and are valid.

2010-06-30 15:59:43:484 1416 250 AU >>## RESUMED ## AU: Download update [updateId = {8328C689-B157-4AFC-B181-915023070C4A}, succeeded]

2010-06-30 15:59:43:484 1416 2ac Agent *********

2010-06-30 15:59:43:484 1416 2ac Agent ** END ** Agent: Downloading updates [CallerId = AutomaticUpdates]

2010-06-30 15:59:43:484 1416 2ac Agent *************

2010-06-30 15:59:43:500 1416 2ac DnldMgr *************

2010-06-30 15:59:43:500 1416 2ac DnldMgr ** START ** DnldMgr: Downloading updates [CallerId = AutomaticUpdates]

2010-06-30 15:59:43:515 1416 2ac DnldMgr *********

2010-06-30 15:59:43:515 1416 2ac DnldMgr * Call ID = {475327F1-99E2-497C-996E-A2C3705B7142}

2010-06-30 15:59:43:515 1416 2ac DnldMgr * Priority = 1, Interactive = 0, Owner is system = 1, Explicit proxy = 0, Proxy session id = -1, ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}

2010-06-30 15:59:43:531 1416 2ac DnldMgr * Updates to download = 1

2010-06-30 15:59:43:531 1416 2ac Agent * Title = Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86

2010-06-30 15:59:43:531 1416 2ac Agent * UpdateId = {4D6E7C9C-99BA-4448-8A0A-3E8E7B84D2FA}.104

2010-06-30 15:59:43:531 1416 2ac Agent * Bundles 1 updates:

2010-06-30 15:59:43:531 1416 2ac Agent * {6041DC4A-91A1-4118-9930-8B93F432E479}.104

2010-06-30 15:59:43:531 1416 2ac DnldMgr *********** DnldMgr: Regulation Refresh [svc: {7971F918-A847-4430-9279-4A52D1EFE18D}] ***********

2010-06-30 15:59:43:531 1416 2ac DnldMgr * Regulation call complete. 0x00000000

2010-06-30 15:59:43:531 1416 2ac DnldMgr *********** DnldMgr: New download job [updateId = {6041DC4A-91A1-4118-9930-8B93F432E479}.104] ***********

2010-06-30 15:59:43:765 1416 2ac DnldMgr * All files for update were already downloaded and are valid.

2010-06-30 15:59:43:765 1416 250 AU >>## RESUMED ## AU: Download update [updateId = {4D6E7C9C-99BA-4448-8A0A-3E8E7B84D2FA}, succeeded]

2010-06-30 15:59:43:781 1416 2ac Agent *********

2010-06-30 15:59:43:781 1416 2ac Agent ** END ** Agent: Downloading updates [CallerId = AutomaticUpdates]

2010-06-30 15:59:43:781 1416 2ac Agent *************

2010-06-30 15:59:43:781 1416 2ac DnldMgr *************

2010-06-30 15:59:43:781 1416 2ac DnldMgr ** START ** DnldMgr: Downloading updates [CallerId = AutomaticUpdates]

2010-06-30 15:59:43:796 1416 2ac DnldMgr *********

2010-06-30 15:59:43:796 1416 2ac DnldMgr * Call ID = {90785789-0937-43B0-9D02-907CEFD188B0}

2010-06-30 15:59:43:796 1416 2ac DnldMgr * Priority = 2, Interactive = 0, Owner is system = 1, Explicit proxy = 0, Proxy session id = -1, ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}

2010-06-30 15:59:43:796 1416 2ac DnldMgr * Updates to download = 1

2010-06-30 15:59:43:796 1416 2ac Agent * Title = Microsoft .NET Framework 1.1 SP1 Security Update for Windows 2000 and Windows XP (KB979906)

2010-06-30 15:59:43:796 1416 2ac Agent * UpdateId = {18072BD1-84D7-4CEF-A069-808512A8A76D}.107

2010-06-30 15:59:43:796 1416 2ac Agent * Bundles 2 updates:

2010-06-30 15:59:43:796 1416 2ac Agent * {1253EC2E-7C31-4221-A4C3-DA356230D2A0}.107

2010-06-30 15:59:43:796 1416 2ac Agent * {C3486200-3186-4B48-A012-A2DDABE91034}.107

2010-06-30 15:59:43:796 1416 2ac DnldMgr *********** DnldMgr: Regulation Refresh [svc: {7971F918-A847-4430-9279-4A52D1EFE18D}] ***********

2010-06-30 15:59:43:796 1416 2ac DnldMgr * Regulation call complete. 0x00000000

2010-06-30 15:59:43:812 1416 2ac DnldMgr *********** DnldMgr: New download job [updateId = {1253EC2E-7C31-4221-A4C3-DA356230D2A0}.107] ***********

2010-06-30 15:59:43:828 1416 2ac DnldMgr * All files for update were already downloaded and are valid.

2010-06-30 15:59:43:828 1416 2ac DnldMgr *********** DnldMgr: New download job [updateId = {C3486200-3186-4B48-A012-A2DDABE91034}.107] ***********

2010-06-30 15:59:44:265 1416 2ac DnldMgr * All files for update were already downloaded and are valid.

2010-06-30 15:59:44:296 1416 250 AU >>## RESUMED ## AU: Download update [updateId = {18072BD1-84D7-4CEF-A069-808512A8A76D}, succeeded]

2010-06-30 15:59:44:296 1416 250 AU #########

2010-06-30 15:59:44:296 1416 250 AU ## END ## AU: Download updates

2010-06-30 15:59:44:296 1416 250 AU #############

2010-06-30 15:59:44:296 1416 250 AU AU setting pending client directive to 'Install Approval'

2010-06-30 15:59:44:296 1416 2ac Agent *********

2010-06-30 15:59:44:296 1416 2ac Agent ** END ** Agent: Downloading updates [CallerId = AutomaticUpdates]

2010-06-30 15:59:44:296 1416 2ac Agent *************

2010-06-30 15:59:47:109 1416 2ac Report REPORT EVENT: {833498EB-F8C4-4CBB-9490-3AC3509CE2FF} 2010-06-30 15:59:42:109-0700 1 189 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions: - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909)

2010-06-30 15:59:47:109 1416 2ac Report REPORT EVENT: {427C3D62-9B18-4DEE-9607-C0C456CFB4CF} 2010-06-30 15:59:42:859-0700 1 189 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions: - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909) - Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168)

2010-06-30 15:59:47:109 1416 2ac Report REPORT EVENT: {650F52CC-B11C-41D0-BA8D-69F8B7E68904} 2010-06-30 15:59:43:484-0700 1 189 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions: - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909) - Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168) - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524)

2010-06-30 15:59:47:109 1416 2ac Report REPORT EVENT: {3F8E3773-26B6-4389-821A-019FC514D942} 2010-06-30 15:59:43:765-0700 1 189 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions: - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909) - Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168) - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524) - Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86

2010-06-30 15:59:47:109 1416 2ac Report REPORT EVENT: {B507C225-6DCA-4F99-91F3-8572F23F495B} 2010-06-30 15:59:44:296-0700 1 189 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions: - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909) - Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168) - Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524) - Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86 - Microsoft .NET Framework 1.1 SP1 Security Update for Windows 2000 and Windows XP (KB979906)

2010-06-30 15:59:53:328 1416 864 AU Launched new AU client for directive 'Install Approval', session id = 0x0

2010-06-30 15:59:53:750 888 f78 Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0700) ===========

2010-06-30 15:59:53:750 888 f78 Misc = Process: C:\windows\system32\wuauclt.exe

2010-06-30 15:59:53:750 888 f78 AUClnt Launched Client UI process

2010-06-30 15:59:54:265 888 f78 Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0700) ===========

2010-06-30 15:59:54:265 888 f78 Misc = Process: C:\windows\system32\wuauclt.exe

2010-06-30 15:59:54:265 888 f78 Misc = Module: C:\windows\system32\wucltui.dll

2010-06-30 15:59:54:265 888 f78 CltUI AU client got new directive = 'Install Approval', serviceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, return = 0x00000000

2010-06-30 15:59:54:312 888 f78 CltUI AU client creating UI plugin, clsid={3809920F-B9D4-42DA-92E0-E26265E0FB89}

2010-06-30 17:10:42:031 1416 804 DnldMgr *********** DnldMgr: Regulation Refresh [svc: {7971F918-A847-4430-9279-4A52D1EFE18D}] ***********

2010-06-30 17:10:42:031 1416 804 DnldMgr * Regulation call complete. 0x00000000

2010-06-30 17:12:42:515 1416 864 AU #############

2010-06-30 17:12:42:515 1416 864 AU ## START ## AU: Search for updates

2010-06-30 17:12:42:515 1416 864 AU #########

2010-06-30 17:12:42:515 1416 864 AU <<## SUBMITTED ## AU: Search for updates [CallId = {84B6E037-40CA-4822-96D5-56E3B6208557}]

2010-06-30 17:12:42:515 1416 804 Agent *************

2010-06-30 17:12:42:531 1416 804 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]

2010-06-30 17:12:42:531 1416 804 Agent *********

2010-06-30 17:12:42:531 1416 804 Agent * Online = Yes; Ignore download priority = No

2010-06-30 17:12:42:531 1416 804 Agent * Criteria = "IsHidden=0 and IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and IsAssigned=1 or IsHidden=0 and IsInstalled=1 and DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and IsAssigned=1 and RebootRequired=1"

2010-06-30 17:12:42:531 1416 804 Agent * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service

2010-06-30 17:12:42:531 1416 804 Agent * Search Scope = {Machine}

2010-06-30 17:12:42:812 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:

2010-06-30 17:12:42:875 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:45:640 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:

2010-06-30 17:12:45:671 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:45:843 1416 804 Agent Checking for updated auth cab for service 7971f918-a847-4430-9279-4a52d1efe18d at http://download.windowsupdate.com/v9/micro...edir/muauth.cab

2010-06-30 17:12:45:843 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\AuthCabs\authcab.cab:

2010-06-30 17:12:45:859 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:45:937 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\AuthCabs\authcab.cab:

2010-06-30 17:12:45:953 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:45:953 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:

2010-06-30 17:12:45:984 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:46:078 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:

2010-06-30 17:12:46:109 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:46:156 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\SelfUpdate\Default\wuident.cab:

2010-06-30 17:12:46:171 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:48:750 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\SelfUpdate\Default\wuident.cab:

2010-06-30 17:12:48:765 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:49:187 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\SelfUpdate\Default\wsus3setup.cab:

2010-06-30 17:12:49:218 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:49:250 1416 804 Setup *********** Setup: Checking whether self-update is required ***********

2010-06-30 17:12:49:250 1416 804 Setup * Inf file: C:\windows\SoftwareDistribution\SelfUpdate\Default\wsus3setup.inf

2010-06-30 17:12:49:375 1416 804 Setup Update NOT required for C:\windows\system32\cdm.dll: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:421 1416 804 Setup Update NOT required for C:\windows\system32\wuapi.dll: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:437 1416 804 Setup Update NOT required for C:\windows\system32\wuapi.dll.mui: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:437 1416 804 Setup Update NOT required for C:\windows\system32\wuauclt.exe: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:453 1416 804 Setup Update NOT required for C:\windows\system32\wuaucpl.cpl: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:468 1416 804 Setup Update NOT required for C:\windows\system32\wuaucpl.cpl.mui: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:468 1416 804 Setup Update NOT required for C:\windows\system32\wuaueng.dll: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:484 1416 804 Setup Update NOT required for C:\windows\system32\wuaueng.dll.mui: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:500 1416 804 Setup Update NOT required for C:\windows\system32\wucltui.dll: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:546 1416 804 Setup Update NOT required for C:\windows\system32\wucltui.dll.mui: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:546 1416 804 Setup Update NOT required for C:\windows\system32\wups.dll: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:578 1416 804 Setup Update NOT required for C:\windows\system32\wups2.dll: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:687 1416 804 Setup Update NOT required for C:\windows\system32\wuweb.dll: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:49:687 1416 804 Setup * IsUpdateRequired = No

2010-06-30 17:12:49:687 1416 804 Setup Found non-managed non-WU Service registered with AU

2010-06-30 17:12:49:703 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:

2010-06-30 17:12:49:734 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:49:796 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:

2010-06-30 17:12:49:812 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:49:828 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\SelfUpdate\Registered\muident.cab:

2010-06-30 17:12:49:859 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:49:968 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\SelfUpdate\Registered\muident.cab:

2010-06-30 17:12:49:984 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:50:250 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\SelfUpdate\Registered\musetup.cab:

2010-06-30 17:12:50:281 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:12:50:281 1416 804 Setup *********** Setup: Checking whether self-update is required ***********

2010-06-30 17:12:50:296 1416 804 Setup * Inf file: C:\windows\SoftwareDistribution\SelfUpdate\Registered\musetup.inf

2010-06-30 17:12:50:343 1416 804 Setup Update NOT required for C:\windows\system32\mucltui.dll: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:50:343 1416 804 Setup Update NOT required for C:\windows\system32\mucltui.dll.mui: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:50:406 1416 804 Setup Update NOT required for C:\windows\system32\muweb.dll: target version = 7.4.7600.226, required version = 7.4.7600.226

2010-06-30 17:12:50:406 1416 804 Setup * IsUpdateRequired = No

2010-06-30 17:13:02:171 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:

2010-06-30 17:13:02:218 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:13:02:468 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:

2010-06-30 17:13:02:484 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:13:02:500 1416 804 PT +++++++++++ PT: Synchronizing server updates +++++++++++

2010-06-30 17:13:02:562 1416 804 PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://www.update.microsoft.com/v6/ClientW...ice/client.asmx

2010-06-30 17:13:08:406 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {9D6A2972-3BC9-4923-A8F5-AAD9ED329E06}.53, hr = 8007006E

2010-06-30 17:13:13:187 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {927DA5AF-7FBC-4F40-8ED6-1DF198047D38}.100, hr = 8007006E

2010-06-30 17:13:13:281 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {0FD42409-3866-417D-8374-E227A07FC3E7}.100, hr = 8007006E

2010-06-30 17:13:13:328 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {7240DE87-F64D-4918-8B27-8D065DE15444}.100, hr = 8007006E

2010-06-30 17:13:13:406 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {AA963ADC-70C5-42C2-A1C8-BA0111831A38}.101, hr = 8007006E

2010-06-30 17:13:13:453 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {21A6396E-983B-4CE6-A087-BC9B42747D0C}.100, hr = 8007006E

2010-06-30 17:13:13:500 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {89B5926A-F0BA-4E86-9548-2D30EDF759F3}.101, hr = 8007006E

2010-06-30 17:13:13:562 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {23AF428F-8D9F-4FF6-925E-E2F10375C4E3}.100, hr = 8007006E

2010-06-30 17:13:13:609 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {F6A291BC-048B-4472-AEC5-142AE284DAED}.100, hr = 8007006E

2010-06-30 17:13:13:656 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {1B681064-370E-4017-ACDB-0E9D133862B7}.100, hr = 8007006E

2010-06-30 17:13:13:703 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {BF7E1599-7A19-4D9E-BF54-FD123204CCB6}.100, hr = 8007006E

2010-06-30 17:13:13:750 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {38C16CB9-D80E-4747-B052-F2DCEDB26455}.100, hr = 8007006E

2010-06-30 17:13:14:140 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {0EDDD03F-530B-4299-9741-F170BA2936A1}.100, hr = 8007006E

2010-06-30 17:13:14:250 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {40D2B735-202B-49E8-BF68-24CC712623DB}.102, hr = 8007006E

2010-06-30 17:13:14:359 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {228A4DD4-C6C0-4D41-BB0A-4BE91E9E3440}.100, hr = 8007006E

2010-06-30 17:13:14:468 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {16E77DCC-588C-4B43-90B6-8900AFF18967}.100, hr = 8007006E

2010-06-30 17:13:14:687 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {340CF1CE-4A0A-4310-904D-881F923677E3}.102, hr = 8007006E

2010-06-30 17:13:14:828 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {428FF11B-4AD4-480A-87E4-D08C84C4C5F0}.100, hr = 8007006E

2010-06-30 17:13:14:875 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {31979B3B-A86A-4DA4-A0F6-C0CFE05F1178}.103, hr = 8007006E

2010-06-30 17:13:14:906 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {F0A4B636-1565-47A9-8E26-A09C857F9AAD}.100, hr = 8007006E

2010-06-30 17:13:14:937 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {76D22173-15D8-4F0B-900C-EBA954A626ED}.101, hr = 8007006E

2010-06-30 17:13:14:984 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {8A0BC75F-96A5-4F24-A58B-17F8A792D252}.102, hr = 8007006E

2010-06-30 17:13:15:015 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {A89D7E42-77C7-4DF2-97A6-28F9FFCBE6C2}.100, hr = 8007006E

2010-06-30 17:13:15:046 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {46DDF76B-E91D-477F-A5B1-E67D7563418F}.100, hr = 8007006E

2010-06-30 17:13:15:109 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {69B3F0EE-5577-493B-98EF-54502FFEFA55}.101, hr = 8007006E

2010-06-30 17:13:15:140 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {1F066814-AAF7-4692-8B81-09A87DA821F7}.100, hr = 8007006E

2010-06-30 17:13:15:171 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {C4E51A16-20A5-495C-BE53-3951D940CF87}.100, hr = 8007006E

2010-06-30 17:13:15:187 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {2577F3B2-52ED-4B4E-B61C-0182600FAE97}.100, hr = 8007006E

2010-06-30 17:13:15:796 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {86C77230-E78A-4A7A-947B-CEDB2CA187EA}.100, hr = 8007006E

2010-06-30 17:13:15:953 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {A7527FD9-BFE1-485B-A6CB-C5C4B3A2F02A}.101, hr = 8007006E

2010-06-30 17:13:16:031 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {69040F82-0B02-4650-834B-22B243F17043}.100, hr = 8007006E

2010-06-30 17:13:16:156 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {16822D7A-15BC-4BE0-AE77-64D7D803ED4D}.100, hr = 8007006E

2010-06-30 17:13:16:296 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {2C288ACA-369E-434F-B90E-3A7A43B10E0D}.103, hr = 8004100E

2010-06-30 17:13:16:453 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {9A423A44-61AB-4237-B661-CFD0B81785CE}.100, hr = 8007006E

2010-06-30 17:13:16:500 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {23945CEB-AB9A-4647-9033-5DDB1D2C6CC5}.105, hr = 8007006E

2010-06-30 17:13:16:562 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {F7E44349-8FA3-414C-8FE7-A83D70B1CE7C}.100, hr = 8007006E

2010-06-30 17:13:16:703 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {004FAB82-E7FD-4F37-8346-903FF2961E7E}.100, hr = 8007006E

2010-06-30 17:13:16:734 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {545DE123-E992-4C34-9D36-7F15CB48D43E}.100, hr = 8007006E

2010-06-30 17:13:16:812 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {F32FBCE9-5781-4DB2-9C51-CF208532E252}.100, hr = 8007006E

2010-06-30 17:13:16:859 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {6857D755-71B1-47E1-BAF6-FF343016E188}.100, hr = 8007006E

2010-06-30 17:13:16:953 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {59283FD4-7787-4347-8C7D-FAF8B5B70EBC}.104, hr = 8007006E

2010-06-30 17:13:17:062 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {E279DAFD-678C-4C19-993A-0D2C8C06966A}.100, hr = 8007006E

2010-06-30 17:13:17:078 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {BDBEADAC-57A9-463E-B09F-4F2F8265C8B0}.100, hr = 8007006E

2010-06-30 17:13:17:109 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {4408A97F-192F-42F6-9C13-B1C91332FEBD}.100, hr = 8007006E

2010-06-30 17:13:17:140 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {20070C7A-2D74-42A6-B3D6-61F4876814EC}.100, hr = 8007006E

2010-06-30 17:13:17:171 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {2AA1D715-9927-4742-AD3E-E100B22ED461}.101, hr = 8007006E

2010-06-30 17:13:17:203 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {3891E145-91DB-4620-8F7A-56392FE81527}.100, hr = 8007006E

2010-06-30 17:13:17:218 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {2DB09E73-2406-4A81-A03B-4AD286191429}.100, hr = 8007006E

2010-06-30 17:13:17:296 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {F4EDE0D0-1DC7-488F-9290-1542FB99B30F}.100, hr = 8007006E

2010-06-30 17:13:17:390 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {6018F56A-809B-4B77-95C6-B1D3C9AEFFFE}.100, hr = 8007006E

2010-06-30 17:13:17:390 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {F06BD563-CC31-4DEE-905E-1FDAB626D398}.101, hr = 8007006E

2010-06-30 17:13:18:000 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {27B64548-55A8-4134-967C-9340ED0036DB}.100, hr = 8007006E

2010-06-30 17:13:18:187 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {CF8625C4-1C24-4373-AC82-3E9E1266D5BD}.100, hr = 8007006E

2010-06-30 17:13:18:265 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {E8D395A3-4E47-426D-A8DA-88E48914C4B3}.100, hr = 8007006E

2010-06-30 17:13:18:328 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {C1CD2947-BF29-432F-B3FA-5F3608D3D141}.100, hr = 8007006E

2010-06-30 17:13:18:984 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {A8111ECB-F970-4634-A808-4E007A8A1034}.103, hr = 8004100E

2010-06-30 17:13:19:000 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {D743753E-2CE8-4322-B672-0A996A0D935B}.100, hr = 8007006E

2010-06-30 17:13:19:187 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {292376A5-8975-4498-BDFD-0A45D60ADA44}.102, hr = 8007006E

2010-06-30 17:13:19:203 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {5BFCECA4-1B14-4A2E-8435-68322302C264}.102, hr = 8007006E

2010-06-30 17:13:19:218 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {5AC301B4-FA4A-4DC0-AEB3-2532E41C7657}.51, hr = 8007006E

2010-06-30 17:13:19:218 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {2E05F63C-4565-4993-80E4-38F301F6AFE9}.100, hr = 8007006E

2010-06-30 17:13:19:281 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {3BD5A8E0-947B-4E1A-99A4-D97147D4A84A}.100, hr = 8007006E

2010-06-30 17:13:19:328 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {E78694A7-7AB1-4542-9C33-4ABB9C878B51}.100, hr = 8007006E

2010-06-30 17:13:19:375 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {2BF0640E-AFD3-4CD2-8BD3-96FFE541ACD5}.100, hr = 8007006E

2010-06-30 17:13:19:421 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {5BAF0CCF-7774-415E-B92D-08D2E97660CA}.101, hr = 8007006E

2010-06-30 17:13:19:515 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {C356752D-FB2F-4C81-993F-8994E517DBC4}.102, hr = 8007006E

2010-06-30 17:13:19:593 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {DD12D1B1-B795-4DAC-A8E3-F19111EAB849}.100, hr = 8007006E

2010-06-30 17:13:19:671 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {AACA0A16-2311-4227-A641-C151C85EB4B1}.100, hr = 8007006E

2010-06-30 17:13:19:750 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {FF23C2BF-2CD5-477F-8162-18163E8D4AC2}.100, hr = 8007006E

2010-06-30 17:13:19:796 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {257C4E80-4095-4C78-A205-5E433B1D310F}.100, hr = 8007006E

2010-06-30 17:13:19:828 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {4DADCDAE-54FC-43D0-8733-DBEA13488C54}.100, hr = 8007006E

2010-06-30 17:13:19:906 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {09065B63-D02E-4176-B623-0E8A04177828}.100, hr = 8007006E

2010-06-30 17:13:19:984 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {C85D2AF6-ECC8-4307-861A-91ED8467D49D}.100, hr = 8007006E

2010-06-30 17:13:20:062 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {1F3B20B0-704B-4176-A8C5-8A12BF87CAC7}.100, hr = 8007006E

2010-06-30 17:13:20:125 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {2921D9AA-B5A5-44DB-80AD-32CC4152643D}.52, hr = 8007006E

2010-06-30 17:13:20:312 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {5E223EF3-4CD4-4BDC-84D8-BC2A4A1F1345}.100, hr = 8007006E

2010-06-30 17:13:20:421 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {6B7E2C47-CB2F-40B9-B575-27E726CAEE5D}.100, hr = 8007006E

2010-06-30 17:13:20:468 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {B859D4B9-B09F-492F-882F-3C1C990D1954}.102, hr = 8007006E

2010-06-30 17:13:20:546 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {F70A5EAB-4464-4928-8891-49A2B659E625}.100, hr = 8007006E

2010-06-30 17:13:20:796 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {039BF8B6-382F-4DD8-AB4D-43788C8334B1}.100, hr = 8007006E

2010-06-30 17:13:20:859 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {9687775F-1E8C-4D28-9663-656C185F85F5}.100, hr = 8007006E

2010-06-30 17:13:20:937 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {87DD1DFE-00D7-4BAD-9247-BFDBAA1C7681}.100, hr = 8007006E

2010-06-30 17:13:21:078 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {88857109-91D0-447F-9863-E068E39B1291}.100, hr = 8007006E

2010-06-30 17:13:21:484 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {023A9AFD-9573-45B7-8AA2-9126528F9E96}.100, hr = 8007006E

2010-06-30 17:13:21:515 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {D4D6EED8-0FAA-474F-A91B-06678ACF2C17}.100, hr = 8007006E

2010-06-30 17:13:21:515 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {243694DF-0B2F-465F-B153-05214E62FEC3}.100, hr = 8007006E

2010-06-30 17:13:21:609 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {52497264-A9B5-4BC3-A2BD-433581B6AD18}.100, hr = 8007006E

2010-06-30 17:13:21:671 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {E46007FE-8E26-4D79-BA59-A820B89B69F3}.51, hr = 8007006E

2010-06-30 17:13:21:718 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {1C2CBB97-2BA2-4817-9F7C-9CB2BACC6745}.100, hr = 8007006E

2010-06-30 17:13:21:750 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {FAF9E2A1-E007-4400-A11E-092F4CC71D96}.101, hr = 8007006E

2010-06-30 17:13:22:437 1416 804 Agent WARNING: Failed to evaluate Installable rule, updateId = {208FFA8B-FC7F-4CD1-9C32-16E11765140C}.100, hr = 8007006E

2010-06-30 17:13:22:828 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:

2010-06-30 17:13:22:859 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:13:26:015 1416 804 Misc Validating signature for C:\windows\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:

2010-06-30 17:13:26:031 1416 804 Misc Microsoft signed: Yes

2010-06-30 17:13:26:046 1416 804 PT +++++++++++ PT: Synchronizing extended update info +++++++++++

2010-06-30 17:13:26:046 1416 804 PT + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://www.update.microsoft.com/v6/ClientW...ice/client.asmx

2010-06-30 17:13:52:140 1416 804 Agent Update {61DCAB34-53C0-4866-84E3-83B157E1D644}.100 is pruned out due to potential supersedence

2010-06-30 17:13:52:140 1416 804 Agent * Added update {4D6E7C9C-99BA-4448-8A0A-3E8E7B84D2FA}.104 to search result

2010-06-30 17:13:52:140 1416 804 Agent * Added update {E193311B-1D69-4AEA-BAB5-D736EE07D790}.104 to search result

2010-06-30 17:13:52:140 1416 804 Agent * Added update {18072BD1-84D7-4CEF-A069-808512A8A76D}.107 to search result

2010-06-30 17:13:52:140 1416 804 Agent * Added update {FA6E4025-F239-4137-9FD8-BA1022974754}.103 to search result

2010-06-30 17:13:52:140 1416 804 Agent * Added update {8328C689-B157-4AFC-B181-915023070C4A}.100 to search result

2010-06-30 17:13:52:140 1416 804 Agent * Found 5 updates and 59 categories in search; evaluated appl. rules of 1389 out of 2410 deployed entities

2010-06-30 17:13:52:218 1416 804 Agent *********

2010-06-30 17:13:52:218 1416 804 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]

2010-06-30 17:13:52:218 1416 804 Agent *************

2010-06-30 17:13:52:281 1416 9a4 AU >>## RESUMED ## AU: Search for updates [CallId = {84B6E037-40CA-4822-96D5-56E3B6208557}]

2010-06-30 17:13:52:281 1416 9a4 AU # 5 updates detected

2010-06-30 17:13:52:296 1416 9a4 AU #########

2010-06-30 17:13:52:296 1416 9a4 AU ## END ## AU: Search for updates [CallId = {84B6E037-40CA-4822-96D5-56E3B6208557}]

2010-06-30 17:13:52:296 1416 9a4 AU #############

2010-06-30 17:13:52:296 1416 9a4 AU Featured notifications is disabled.

2010-06-30 17:13:52:296 1416 9a4 AU AU setting next detection timeout to 2010-07-01 21:19:50

2010-06-30 17:13:57:218 1416 804 Report REPORT EVENT: {1F0C97CA-922F-42D5-8733-FC81EB6148EC} 2010-06-30 17:13:52:218-0700 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Software Synchronization Windows Update Client successfully detected 5 updates.

2010-06-30 23:54:53:703 1416 758 AU AU found 5 updates for install at shutdown

2010-06-30 23:54:53:765 336 294 Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0700) ===========

2010-06-30 23:54:53:765 336 294 Misc = Process: C:\windows\Explorer.EXE

2010-06-30 23:54:53:765 336 294 Misc = Module: C:\windows\system32\wuaueng.dll

2010-06-30 23:54:53:765 336 294 Shutdwn Install at shutdown: found updates to install

2010-06-30 23:55:11:656 1416 864 AU AU received handle event

2010-06-30 23:55:11:781 1416 864 AU AU setting pending client directive to 'Install Approval'

2010-06-30 23:55:47:562 1416 864 AU ########### AU: Uninitializing Automatic Updates ###########

Avira Scan Report:

Avira AntiVir Personal

Report file date: Thursday, July 01, 2010 10:53

Scanning for 2282927 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : ROB-CCA219EB460

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 20:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 20:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 02:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 01:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 00:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 19:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 04:11:01

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 04:11:27

VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 04:11:27

VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 04:11:28

VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 04:11:28

VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 04:11:28

VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 04:11:28

VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 04:11:28

VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 04:11:32

VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 04:11:33

VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 04:11:35

VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 04:11:37

VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 04:11:42

VBASE018.VDF : 7.10.8.194 133632 Bytes 6/27/2010 06:47:07

VBASE019.VDF : 7.10.8.220 134656 Bytes 6/29/2010 22:09:31

VBASE020.VDF : 7.10.8.221 2048 Bytes 6/29/2010 22:09:32

VBASE021.VDF : 7.10.8.222 2048 Bytes 6/29/2010 22:09:32

VBASE022.VDF : 7.10.8.223 2048 Bytes 6/29/2010 22:09:32

VBASE023.VDF : 7.10.8.224 2048 Bytes 6/29/2010 22:09:32

VBASE024.VDF : 7.10.8.225 2048 Bytes 6/29/2010 22:09:32

VBASE025.VDF : 7.10.8.226 2048 Bytes 6/29/2010 22:09:33

VBASE026.VDF : 7.10.8.227 2048 Bytes 6/29/2010 22:09:33

VBASE027.VDF : 7.10.8.228 2048 Bytes 6/29/2010 22:09:33

VBASE028.VDF : 7.10.8.229 2048 Bytes 6/29/2010 22:09:33

VBASE029.VDF : 7.10.8.230 2048 Bytes 6/29/2010 22:09:33

VBASE030.VDF : 7.10.8.231 2048 Bytes 6/29/2010 22:09:34

VBASE031.VDF : 7.10.8.236 45568 Bytes 6/30/2010 22:09:35

Engineversion : 8.2.4.2

AEVDF.DLL : 8.1.2.0 106868 Bytes 6/28/2010 04:12:22

AESCRIPT.DLL : 8.1.3.33 1356155 Bytes 6/28/2010 04:12:22

AESCN.DLL : 8.1.6.1 127347 Bytes 6/28/2010 04:12:17

AESBX.DLL : 8.1.3.1 254324 Bytes 6/28/2010 04:12:23

AERDL.DLL : 8.1.4.6 541043 Bytes 6/28/2010 04:12:16

AEPACK.DLL : 8.2.2.5 430453 Bytes 6/28/2010 04:12:13

AEOFFICE.DLL : 8.1.1.0 201081 Bytes 6/28/2010 04:12:10

AEHEUR.DLL : 8.1.1.38 2724214 Bytes 6/28/2010 04:12:09

AEHELP.DLL : 8.1.11.6 242038 Bytes 6/28/2010 04:11:56

AEGEN.DLL : 8.1.3.12 377204 Bytes 6/28/2010 04:11:54

AEEMU.DLL : 8.1.2.0 393588 Bytes 6/28/2010 04:11:52

AECORE.DLL : 8.1.15.3 192886 Bytes 6/28/2010 04:11:51

AEBB.DLL : 8.1.1.0 53618 Bytes 6/28/2010 04:11:49

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 20:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 20:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/19/2010 00:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 20:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 20:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 20:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 17:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 20:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 23:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 22:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 21:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 22:14:29

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Thursday, July 01, 2010 10:53

Starting search for hidden objects.

c:\windows\repair\backup\servicestate\configdirectory\default.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\default.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\internet.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\sam.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\sam.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\security.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\security.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\software.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\software.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\system.bak

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\system.tmp.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\userdiff

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory\userdiff.log

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\eventlogs\appevent.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\eventlogs\encina.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\eventlogs\secevent.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\eventlogs\sysevent.evt

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\removablestoragemanager\ntmsdata

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\removablestoragemanager\ntmsreg

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The file is not visible.

c:\windows\repair\backup\servicestate\configdirectory

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The directory is not visible.

c:\windows\repair\backup\servicestate\eventlogs

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The directory is not visible.

c:\windows\repair\backup\servicestate\removablestoragemanager

c:\WINDOWS\repair\Backup\ServiceState

[NOTE] The directory is not visible.

HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information\datasecu

[NOTE] The registry entry is invisible.

HKEY_USERS\S-1-5-21-1644491937-562591055-725345543-1003\Software\SecuROM\License information\rkeysecu

[NOTE] The registry entry is invisible.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist

[NOTE] The registry entry is invisible.

The scan of running processes will be started

Scan process 'rsmsink.exe' - '29' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '120' Module(s) have been scanned

Scan process 'dllhost.exe' - '50' Module(s) have been scanned

Scan process 'dllhost.exe' - '45' Module(s) have been scanned

Scan process 'vssvc.exe' - '48' Module(s) have been scanned

Scan process 'avscan.exe' - '67' Module(s) have been scanned

Scan process 'wuauclt.exe' - '36' Module(s) have been scanned

Scan process 'AdobeARM.exe' - '38' Module(s) have been scanned

Scan process 'alg.exe' - '33' Module(s) have been scanned

Scan process 'mysqld-nt.exe' - '20' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'jqs.exe' - '33' Module(s) have been scanned

Scan process 'avshadow.exe' - '26' Module(s) have been scanned

Scan process 'FreeAgentService.exe' - '37' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '29' Module(s) have been scanned

Scan process 'avguard.exe' - '54' Module(s) have been scanned

Scan process 'VersionCueCS2.exe' - '62' Module(s) have been scanned

Scan process 'WLanUtil.exe' - '35' Module(s) have been scanned

Scan process 'ctfmon.exe' - '25' Module(s) have been scanned

Scan process 'jusched.exe' - '20' Module(s) have been scanned

Scan process 'avgnt.exe' - '45' Module(s) have been scanned

Scan process 'stacsrv.exe' - '33' Module(s) have been scanned

Scan process 'VersionCueCS2Tray.exe' - '20' Module(s) have been scanned

Scan process 'StacSysTray.exe' - '29' Module(s) have been scanned

Scan process 'svchost.exe' - '33' Module(s) have been scanned

Scan process 'Explorer.EXE' - '107' Module(s) have been scanned

Scan process 'Ati2evxx.exe' - '20' Module(s) have been scanned

Scan process 'sched.exe' - '45' Module(s) have been scanned

Scan process 'sigservice.exe' - '21' Module(s) have been scanned

Scan process 'spoolsv.exe' - '62' Module(s) have been scanned

Scan process 'svchost.exe' - '40' Module(s) have been scanned

Scan process 'svchost.exe' - '30' Module(s) have been scanned

Scan process 'svchost.exe' - '173' Module(s) have been scanned

Scan process 'svchost.exe' - '38' Module(s) have been scanned

Scan process 'svchost.exe' - '53' Module(s) have been scanned

Scan process 'Ati2evxx.exe' - '15' Module(s) have been scanned

Scan process 'lsass.exe' - '58' Module(s) have been scanned

Scan process 'services.exe' - '27' Module(s) have been scanned

Scan process 'winlogon.exe' - '73' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '1803' files ).

Starting the file scan:

Begin scan in 'C:\' <New Volume>

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\caequ.exe

[DETECTION] Is the TR/PSW.Zbot.116736.Y Trojan

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\evfoi.exe

[DETECTION] Is the TR/PSW.Zbot.116736.Y Trojan

C:\Program Files\7-Zip\Uninstall.exe

[WARNING] Insufficient memory. The file was not scanned.

C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\Touv\ylybd.exe.vir

[DETECTION] Is the TR/PSW.Zbot.116736.Y Trojan

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0007378.exe

[DETECTION] Is the TR/PSW.Zbot.116736.Y Trojan

Beginning disinfection:

C:\System Volume Information\_restore{E6C92DD5-2293-4E7E-A87E-7776BBF2347F}\RP14\A0007378.exe

[DETECTION] Is the TR/PSW.Zbot.116736.Y Trojan

[NOTE] The file was moved to the quarantine directory under the name '4ad850da.qua'.

C:\Qoobox\Quarantine\C\Documents and Settings\Rob\Application Data\Touv\ylybd.exe.vir

[DETECTION] Is the TR/PSW.Zbot.116736.Y Trojan

[NOTE] The file was moved to the quarantine directory under the name '52b67fb9.qua'.

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\evfoi.exe

[DETECTION] Is the TR/PSW.Zbot.116736.Y Trojan

[NOTE] The file was moved to the quarantine directory under the name '00de254b.qua'.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\caequ.exe

[DETECTION] Is the TR/PSW.Zbot.116736.Y Trojan

[NOTE] The file was moved to the quarantine directory under the name '66ea6a64.qua'.

End of the scan: Thursday, July 01, 2010 13:01

Used time: 2:07:17 Hour(s)

The scan has been done completely.

15145 Scanned directories

590365 Files were scanned

4 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

4 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

590361 Files not concerned

4939 Archives were scanned

1 Warnings

4 Notes

636164 Objects were scanned with rootkit scan

25 Hidden objects were found

Thanks.

Link to post
Share on other sites

FYI, the only thing I've done since the last post was to update Adobe Acrobat 9. Since then, I have gotten 2 blue screens telling me the same thing:

fltmgr.sys has caused the problem

Not sure if I should restore to an earlier point or not. Any suggestions?

Still get the same "failed to install" when trying to update Windows.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.